We'd be happy to help you out with that spec....
September 5, 2013 1:12 PM   Subscribe

 
Only they are cleared for the Bullrun program, the successor to one called Manassas — both names of American Civil War battles. A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.

Why would these programs be named after civil war battles if they're not intended specifically for use against their own people?
posted by Slothrup at 1:22 PM on September 5, 2013 [68 favorites]


The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The public can probably make informed guesses, at this point.
posted by Blazecock Pileon at 1:22 PM on September 5, 2013 [3 favorites]


Bruce Schneier : We need to take it back
Government and industry have betrayed the internet, and us.

By subverting the internet at every level to make it a vast, multi-layered and robust surveillance platform, the NSA has undermined a fundamental social contract. The companies that build and manage our internet infrastructure, the companies that create and sell us our hardware and software, or the companies that host our data: we can no longer trust them to be ethical internet stewards.
This leak looks like "the big one", and judging from early reactions is going to be the dam finally breaking for the majority of the tech community who are disgusted by this and have the power to stop it.
posted by crayz at 1:23 PM on September 5, 2013 [37 favorites]


We should probably also note ProPublica's editorial: Why We Published The Decryption Story
posted by Going To Maine at 1:23 PM on September 5, 2013 [6 favorites]


The magnitude of this new revelation cannot be overestimated.

It is literally like discovering that there's a single key that unlocks almost every door in the world - a key that, so far, only the government has.

This is madness. e-commerce sales topped a trillion dollars recently - that's a million million dollars. How much would it be worth for, say, the Russian Mafia to get a copy of this key? How much could they offer the NSA spooks who owned it to defect?
posted by lupus_yonderboy at 1:26 PM on September 5, 2013 [31 favorites]


Why would these programs be named after civil war battles if they're not intended specifically for use against their own people?

In all seriousness, I'm going to guess that an originator had ties to Manassas, VA, which is near Washington. It comes time to fork/re-name the project, and someone (whether the originator or a successor) says 'How can we name this in a manner which ties it to the original name? Towns in Virginia? That sucks. What else is 'Manassas?' Oh yeah, a Civil War battle! There's a unique naming convention! Next one's 'Bull Run.'"

Which speaks volumes about how amoral and revolting you'd have to be to work on something like that-- you don't see the unfortunate associations in the name, and if you did you'd only change it for PR reasons.
posted by Mayor Curley at 1:28 PM on September 5, 2013 [5 favorites]


It wouldn't take 1% of that money for a bribeable person with access to divulge the key to interested parties. This is unconscionable, unsurprising but having it publically known is still startling.
posted by arcticseal at 1:29 PM on September 5, 2013


I know some neckbeards who are going to be So. Fucking. Smug. tomorrow.
posted by fullerine at 1:30 PM on September 5, 2013 [15 favorites]


God bless the Guardian newspaper. They're doing what media is supposed to do.
posted by KokuRyu at 1:31 PM on September 5, 2013 [70 favorites]


I doubt that public outcry alone would do much to reverse the inertia at this point...too many people have had access to the cookie jar to smash it at this point. The most we could probably expect is a re-branding/re-organization of the agency, additional oversight, theatrical hearings, etc.

Hits to the profits of American tech companies...that's another matter. The problem is that I'm just not sure there's enough diversity in the market to support people/companies/governments voting with their feet. Who's stuff will you buy, and where will you host it? Whose network gear or backbones will the traffic traverse? And so on. I can't even see a way out of it all except to scrap the whole thing and start over, somehow.
posted by jquinby at 1:31 PM on September 5, 2013 [2 favorites]


I know some neckbeards who are going to be So. Fucking. Smug. tomorrow.

Those guys were actually already sumg.
posted by GuyZero at 1:32 PM on September 5, 2013 [30 favorites]


To the extent that this was likely to come out sooner, rather than later, I wonder how harsh the long-term monetary backlash against American software and hardware companies will be.

If you're an international customer looking to buy technology, why buy it from the US when you know it will likely be shipped to you with exploits built-in fresh from the factory?

It's not just the United States' intelligence community that will be able to defeat the security, after all, but anyone with knowledge of the backdoor — your competitors, your own government, etc.
posted by Blazecock Pileon at 1:33 PM on September 5, 2013 [6 favorites]


Turns out, they right all along. They fucking deserve to be smug.
posted by JHarris at 1:33 PM on September 5, 2013 [52 favorites]


"The secrecy of these programs is crucial to our leaders' ability to make informed decisions about matters of national security," some people will say.

But here's the thing. Right now members of Congress are debating whether we should launch cruise missiles at Syria. If they like, they can go into a special room and look at a secret 12-page report saying why the executive believes what he does.

This secret 12-page report is based on maybe 300 individual intelligence reports. These reports include communications intercepts that have allegedly been misinterpreted. There are allegations that the Syrian government expressed surprise at the use of chemical weapons.

Your elected representatives are, by default, forbidden from looking at these 300 classified documents. They are being asked to vote for an act of war without being privileged to know why.

Your elected representatives are trusted to make life-or-death decisions, but they are not trusted with the information necessary to make an informed decision. We, as a society, have the right to exercise informed consent to the methods used to police and protect us. We have deprived an entire branch of government from exercising this right on our behalf.

This leak is a huge revelation. If we want such secrets to be respected in the future, we need to rethink how and why we, as society, determine who is allowed to know what.
posted by compartment at 1:34 PM on September 5, 2013 [22 favorites]


It's not just the United States' intelligence community that will be able to defeat the security, after all, but anyone with knowledge of the backdoor — your competitors, your own government, etc.

So it's all a huge problem but I don't know if using Yandex email is a heck of of a lot better than gmail or hotmail.
posted by GuyZero at 1:34 PM on September 5, 2013


It's not just the United States' intelligence community that will be able to defeat the security, after all, but anyone with knowledge of the backdoor — your competitors, your own government, etc.

Also the various countries in which the products are manufactured, most of which are not the US.
posted by elizardbits at 1:34 PM on September 5, 2013


Carl: So it's a code breaker.

Martin Bishop: No. It's THE code breaker. No more secrets...

posted by Cash4Lead at 1:35 PM on September 5, 2013 [31 favorites]


For technical detail about the (assumed) weakness in question: The Strange Story of Dual_EC_DRBG (2007)
posted by RobotVoodooPower at 1:35 PM on September 5, 2013 [12 favorites]


Also of interest is Bruce Schneier's How to remain secure against NSA surveillance article, published today in The Guardian, which he wrote after being given access to Snowden's documents. In short, the NSA hasn't broken the principles underlying the better designed cryptographic protocols, instead they've made deliberate efforts to subvert specific implementations of these cryptographic protocols.
posted by RichardP at 1:36 PM on September 5, 2013 [19 favorites]


If you're an international customer looking to buy technology, why buy it from the US when you know it will likely be shipped to you with exploits built-in fresh from the factory?

Unfortunately a lot of other software vendors are based in or outsource to Eastern Europe and China.
posted by Mayor Curley at 1:37 PM on September 5, 2013


Towns in Virginia? That sucks. What else is 'Manassas?' Oh yeah, a Civil War battle! There's a unique naming convention! Next one's 'Bull Run.'"

I'm slightly annoyed that they didn't even think to name them after different Civil War battles.
posted by Bulgaroktonos at 1:39 PM on September 5, 2013 [9 favorites]


So it's all a huge problem but I don't know if using Yandex email is a heck of of a lot better than gmail or hotmail.

Well, Lavabit had to suspend operations — so that's one consequence. Are there any countries doing a genuinely better job of protecting civil liberties? (Iceland, maybe?) The democratic process in the US has been so blatantly usurped by corporate-government partnerships, that it will be interesting to see if market forces will push smaller companies to do business in nations that do a better job of respecting privacy and laws.
posted by Blazecock Pileon at 1:40 PM on September 5, 2013 [4 favorites]


It's like the realistic version of what "Sneakers" was all about. No Secrets Allowed
posted by lordaych at 1:40 PM on September 5, 2013 [1 favorite]


Remember when they fiddled with DES and apparently made it stronger, not weaker? Oh well. Pretty perverse that the National Security Agency operates by promoting insecurity.
posted by edd at 1:41 PM on September 5, 2013


Bulgaroktonos: "I'm slightly annoyed that they didn't even think to name them after different Civil War battles."

Well, they could technically be referring to the first battle of Manassas and the second battle of Bull Run...
posted by Joakim Ziegler at 1:41 PM on September 5, 2013


I can see how Hastings would be killed for this.
posted by SPUTNIK at 1:42 PM on September 5, 2013 [6 favorites]


Awesome article, RobotVoodooPower. The guys who deserve to be smug are Dan Shumow and Niels Ferguson, who managed to prove that there exist numbers that make this random number generator completely predictable, six years before any other sniff of NSA sneakery.
posted by topynate at 1:42 PM on September 5, 2013 [3 favorites]


To be fair to the bogeyman, they proper kept this shit under wraps for years.
That's the first bit of actual competent intelligence work we've heard about for a while.

Their PowerPoint skills however, remain an embarrassment.
posted by fullerine at 1:43 PM on September 5, 2013 [6 favorites]


.
posted by tilde at 1:45 PM on September 5, 2013


(missed previous Sneakers reference)

Normally this would be like a big WTF moment but none of this has surprised me so far, growing up reading "paranoid" cyberpunk books, disinfo.com back in the day, etc. Surreal but not surprising. Feeling nihilistic, like fuck it all let's just fuck and eat, the more you wonder who the "bad guys" are the crazier you get
posted by lordaych at 1:46 PM on September 5, 2013 [5 favorites]


So how tricky is it to install OpenBSD these days? Apple hardware.
posted by mr_roboto at 1:46 PM on September 5, 2013 [2 favorites]


Mayor Curley: "In all seriousness, I'm going to guess that an originator had ties to Manassas, VA, which is near Washington. It comes time to fork/re-name the project, and someone (whether the originator or a successor) says 'How can we name this in a manner which ties it to the original name? Towns in Virginia? That sucks. What else is 'Manassas?' Oh yeah, a Civil War battle! There's a unique naming convention! Next one's 'Bull Run.'""

Maybe. On the other hand, from the NYT story:
A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.
posted by Rhaomi at 1:49 PM on September 5, 2013 [3 favorites]


Bruce Schneier and Steve Gibson should really get medals for the work they've done to explain how serious this is and how it all works (without being condescending or overly technical).

My last FPP had a link, but Security Now on the TwiT network is an amazing and engaging show about exactly these issues. Leo LaPorte is perfect at asking the right questions and clarifying the often PhD level cryptology discussed on the show.
posted by lattiboy at 1:50 PM on September 5, 2013 [11 favorites]


Based on the history of espionage, anything the NSA has is just a bank deposit away from also being in the hands of the Russians, Chinese, North Koreans, etc.
posted by CheeseDigestsAll at 1:50 PM on September 5, 2013 [8 favorites]


Edward Snowden has GOT to be the front-runner for TIME magazine's 2013 Person of the Year.
posted by spock at 1:50 PM on September 5, 2013 [52 favorites]


Well, I think we can write off most aspersions cast against Snowden's motivations. He had a license to print money and didn't use it.
posted by ocschwar at 1:52 PM on September 5, 2013 [45 favorites]


Can we stop calling ourselves a republic and a nation of laws now?
posted by entropicamericana at 1:53 PM on September 5, 2013 [13 favorites]


Too many secrets.
posted by demiurge at 1:54 PM on September 5, 2013 [1 favorite]


lol time to give up on this universe
posted by scose at 1:55 PM on September 5, 2013 [4 favorites]


It's funny--I was reading this morning that the NSA, while it may be awesome in its ability to hoover up information (and break into secure networks too, it seems), is staggeringly incompetent in sorting that information into anything useful. So in one sense it's heartening, in that the risk of any one person's information being investigated, as opposed to collected, is low. But in another sense, it's terrifying, in that the probability of these tools being abused for personal gain (everything from LOVEINT to selling secrets to the Chinese) is intolerably high. The NSA is long overdue for a thorough audit.
posted by Cash4Lead at 1:57 PM on September 5, 2013 [1 favorite]


The NSA has a roughly $11 billion budget (according to the recent "black budget" leaks)

With the power they have revealed today, and their obviously next-level big iron: what's stopping them from "printing" money out of thin air?!?!
posted by lattiboy at 1:58 PM on September 5, 2013 [2 favorites]


A few clarifications might help a bit here.

First, there is no single key. No one person can walk out of Fort Meade with a file that lets anyone decrypt any message anywhere. Rather, there are a variety of systems -- mathematical (flaws in standards), technological (backdoors inserted in equipment), and political (coerced backdoors in companies) -- that give the NSA the ability to decrypt a wide variety of data. There is one key to the backdoor in the specific random number generator championed by the NSA (cf RobotVoodooPower's link), but that is just one system used in some places, not ubiquitously (I do not know how widespread it is).

Second, the presence of a backdoor does not mean anyone can use it. Some mathematical flaws in cryptosystems are exploitable just by knowing about them, yes, but a backdoor in a piece of equipment can be locked down just as well as any other login system. And the backdoor in the NSA-promoted random number generator has a key as well. Without the right key (and again, there is no single key here that covers everything), you can't get into the backdoor any better than you can the front.

For each of these leaks, there is always the chorus of "yeah, we pretty much guessed as much," but then it's the acknowledgement and sometimes the scope that matter. In this one, the biggest revelation for me is that the NSA seems to so broadly coerce corporations to subvert their own security and use of cryptography for the NSA's purposes. It seems very likely that Lavabit shut down because it was either: A) break its own encryption and lie to its customers about their security or B) fines and/or jail (and your replacement will take care of part (A) anyway). It's one thing for the government to have that power -- certainly governments should have power to commandeer some things when necessary -- it's another entirely for it to be done with absolutely no transparency and extremely limited oversight (by the secret court's own admission). That's too much. That's dangerous for all of us. The potential for abuse is incredibly high.
posted by whatnotever at 1:59 PM on September 5, 2013 [57 favorites]


I hate to break it to you kids, but the NSA has reached the ultimate "too big to fail" proportions.
posted by spock at 2:00 PM on September 5, 2013 [3 favorites]


So if you're an online bank, or a large e-commerce site like Amazon, you have to now assume that even if you never agreed to hand them over and never received some sort of government order, the government has your encryption keys anyway (even if it required stealing them from you). You can only rely on the next Snowden not leaking them. The implications of this are huge. I've written about this in previous threads, but I think this has the potential to have a seriously negative impact on the economy.

What they have done is not defeat the encryption technology itself, but instead to completely subvert the web of trust it relies on. I don't see how you un-ring this bell. We can take some small comfort that SSL itself is intact, when used correctly, but only if you trust the remote host completely, which in the age of gag orders and National Security Letters seems like a fool's bargain.
posted by feloniousmonk at 2:01 PM on September 5, 2013 [11 favorites]


The corpse of J. Edgar Hoover just came in its coffin.
posted by spock at 2:02 PM on September 5, 2013 [26 favorites]


whatnotever: I think you're downplaying this too much.

> Rather, there are a variety of systems -- mathematical (flaws in standards), technological (backdoors inserted in equipment), and political (coerced backdoors in companies) -- that give the NSA the ability to decrypt a wide variety of data

Let's look at each of these in turn.

If there are flaws deliberately inserted into standards, then these flaws can in fact be used by anyone, and could easily apply to thousands of companies of all sizes.

If there are backdoors inserted into equipment, then again this means that there are passwords and ports that you could copy which would indeed allow you access to networks and machines in thousands of companies.

If there are coerced backdoors in companies, you'd need to have separate details for each company.

If the NSA is smart (something we've seen no evidence of), they'd silo the information so each company's backdoor and each piece of gear's backdoor was separately protected. But there have to be several people who have access to all of the silos; and even releasing ONE of these backdoors could, again, compromise thousands of companies.

Regardless, it's a certainty that all of this information would be tiny when put together - probably a few megabytes.
posted by lupus_yonderboy at 2:08 PM on September 5, 2013 [3 favorites]


"With the power they have revealed today, and their obviously next-level big iron: what's stopping them from "printing" money out of thin air?!?!"

Patriotism? Maybe a desire to safeguard society from abuses of power? I got nothin.
posted by Kevin Street at 2:09 PM on September 5, 2013 [3 favorites]



What they have done is not defeat the encryption technology itself, but instead to completely subvert the web of trust it relies on. I don't see how you un-ring this bell. We can take some small comfort that SSL itself is intact, when used correctly, but only if you trust the remote host completely, which in the age of gag orders and National Security Letters seems like a fool's bargain.


Precisely. You need the remote host to carry a certificate from a CA that operates outside of the NSA's jurisdiction (Iceland?), and is competent enough to keep their servers from being compromised.
posted by ocschwar at 2:09 PM on September 5, 2013


Precisely. You need the remote host to carry a certificate from a CA that operates outside of the NSA's jurisdiction (Iceland?), and is competent enough to keep their servers from being compromised.

Even then, it sounds like they're perfectly willing to plant moles in an organization to steal the keys outright. You can fly below the radar, but I don't think you could ever really be totally safe unless you own both sides.
posted by feloniousmonk at 2:11 PM on September 5, 2013 [1 favorite]


Calling it now: It will eventually come out that "Satoshi Nakamoto" was an NSA project and that Bitcoins are in fact traceable to specific users via some heretofore unknown method.
posted by Sangermaine at 2:13 PM on September 5, 2013 [30 favorites]


I was thinking earlier that the perfect conspiracy theory type explanation would be if Bitcoin was actually a distributed tool for breaking encryption.
posted by feloniousmonk at 2:14 PM on September 5, 2013 [32 favorites]


As far as the certificate trust issues brought up above, Perfect Forward Secrecy was thought to be the solution to this problem (if I understand it correctly, which I may not).

However, as of today, the underlying protocols are no longer something you can have total faith in...... and that's if they're implemented correctly, which is a big if.
posted by lattiboy at 2:14 PM on September 5, 2013 [1 favorite]


Cash4Lead: "Carl: So it's a code breaker.

Martin Bishop: No. It's THE code breaker. No more secrets...
"

Oh Great, I so look forward to Dan Brown's next book.
posted by symbioid at 2:15 PM on September 5, 2013 [1 favorite]


It is literally like discovering that there's a single key that unlocks almost every door in the world - a key that, so far, only the government has.

Turns out living in a Neal Stephenson book is not nearly as fun as reading one.
posted by dubold at 2:16 PM on September 5, 2013 [39 favorites]


Just to be paranoid, but from the moment Flame hit the news, I found it very suspicious that Microsoft still had MD5 as a protocol for their security updates.
posted by CBrachyrhynchos at 2:17 PM on September 5, 2013


We can take some small comfort that SSL itself is intact, when used correctly,

I'm not sure I believe this, given some of the comments in the memos sited in the NYTimes and Guardian articles. Unless by SSL you mean it's successor, TLS. And I'm even doubtful about that.
posted by newdaddy at 2:18 PM on September 5, 2013


It sounds like it is still possible to be secure with SSL if you create all of the certificates yourself, pin them, and control both the server and the client. This is not exactly a common scenario. It's also possible that there are lower level leaks which would preclude even this.
posted by feloniousmonk at 2:20 PM on September 5, 2013 [1 favorite]




http://en.wikipedia.org/wiki/Transport_Layer_Security#Cipher

All ciphers used for SSL, and even TLS 1.0, are now considered insecure (should that be unsecure?) That's per Wikipedia, before today's revelations.
posted by newdaddy at 2:22 PM on September 5, 2013 [2 favorites]


Somewhere in Vermont, hunched at a cramped student desk in a freshman dorm, a young man exhales slowly as he stares at the blue glow of the screen. "I knew it," he says, surprising his roommate, who has never heard him speak with such conviction. "I knew my Mother was wrong."
posted by Biblio at 2:23 PM on September 5, 2013 [1 favorite]


feloniousmonk, it's not clear what technology has been broken to enable: "Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." It may be that SSL is not intact. It has enough moving parts (certificate authorities, certificate chains, random number generators, both symmetric and asymmetric cryptosystems used 'together,' numerous implementations floating around...) that either a fundamental flaw or bugs in the most common implementation(s) are not unlikely. I'd guess (and that's all any of this is, of course) that public key cryptography is secure, but that doesn't mean SSL, which wraps a bunch of other stuff around it, still is. The mentions of breaking VPNs suggests this. VPNs usually use self-created certs, pinned, and both ends of the communication are controlled by the same party.

lupus_yonderboy, I don't mean to downplay it greatly, just to temper things a bit. Certainly, the NSA has small pieces of information, any one piece of which can give access to a large amount of data, but there are many such pieces of information, kept and used in different places, and no one piece breaks everything. And I don't believe someone like Snowden (or the vast majority of NSA employees) would have access to those keys. I could be wrong. He certainly had access to more than he "should" have.
posted by whatnotever at 2:24 PM on September 5, 2013 [1 favorite]


Also, if we're doing movie quotes

"Assume they got our phones, assume they got our houses, assume they got us, right here, right now as we sit, everything. Assume it all."
posted by fullerine at 2:24 PM on September 5, 2013 [2 favorites]


All ciphers used for SSL, and even TLS 1.0, are now considered insecure (should that be unsecure?) That's per Wikipedia, before today's revelations.

With the ciphers, it's more about being vulnerable to brute force, but with this specific revelation it's about having direct access to the keys and no need to brute force anything. Not that this isn't also bad, but it's a different kind of bad.
posted by feloniousmonk at 2:25 PM on September 5, 2013 [1 favorite]


What I still really want to know is what the heck those red dots around Antarctica mean on the XKeyScore slide from a few leaks back.
posted by jason_steakums at 2:28 PM on September 5, 2013 [4 favorites]


it's not clear what technology has been broken to enable: "Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable." It may be that SSL is not intact.

I've seen some fairly credible speculation elsewhere that this might refer to a breakthrough in the ability to defeat 1024 bit RSA which is a widely used method.
posted by feloniousmonk at 2:29 PM on September 5, 2013


whatnotever: I think you've hit the nail on the head, and I also agree with you about SSL - we don't really know if it's secure, nor which of its many moving parts to check.

Now, I'll bet a lot of crypto types will be on this to see, but the NSA has historically hired more mathematicians than any organization on the planet, so they have already subverted some large portion of the people who could figure it out...
posted by lupus_yonderboy at 2:30 PM on September 5, 2013


Kinda makes me wonder about the NSA's "Security Enhanced Linux" project....
posted by edheil at 2:30 PM on September 5, 2013 [5 favorites]


Also of interest is Bruce Schneier's How to remain secure against NSA surveillance article, published today in The Guardian

Very much so. I didn't know that the Guardian had enlisted Schneier's help and expertise, but it makes a hell of a lot of sense for them to do so: he has deep and credible domain knowledge.

His summary of his reading of the Snowden documents is devastating.
posted by We had a deal, Kyle at 2:33 PM on September 5, 2013 [3 favorites]


And they would have gotten away with it, if it weren't for that meddling kid!
posted by newdaddy at 2:35 PM on September 5, 2013 [8 favorites]


Well, shit.

I guess it's stuff we already "knew", but it damn well messes with your head.

I am in the process of choosing an email / cloud storage provider for my company. What the hell do I do? Google and Microsoft are probably giving the keys to the NSA. Going with a smaller provider *might* offer some protection, but their services realistically aren't as good and they probably have servers in the US anyway. Or do I just sod it, since US government knows everything about me anyway?
posted by milkb0at at 2:35 PM on September 5, 2013


How much would it be worth for, say, the Russian Mafia to get a copy of this key? How much could they offer the NSA spooks who owned it to defect?
posted by lupus_yonderboy at 4:26 PM on September 5


Not questioning your patriotism, comrade, but by any chance are you in charge of that key? Is this fishing for a ballpark figure?
posted by Nanukthedog at 2:35 PM on September 5, 2013 [2 favorites]


When it comes to breaking into VPNs, I was assuming it meant something more along the lines of there being a backdoor in the common VPN clients. This wouldn't be hard to accomplish with Cisco, Microsoft, etc. required to cooperate in secret. My guess is that wherever a computational answer is lacking, there's a direct-action answer such as subverting client apps, stealing keys, etc.

As someone pointed out on Hacker News, I wonder what Huawei is thinking about all of this after the beating they took in congress awhile back.
posted by feloniousmonk at 2:36 PM on September 5, 2013 [1 favorite]


It's one thing to employ people who spend their time trying to break encryption in use. It's another thing entirely to use subterfuge to introduce vulnerabilities into crypto products while they are being built.
posted by demiurge at 2:38 PM on September 5, 2013 [4 favorites]


> I am in the process of choosing an email / cloud storage provider for my company. What the hell do I do?

Given that we don't have enough information, I would frankly ignore the issue, but pick some system that's not locked in, that is easy to migrate away from.

Everyone is facing the same issue. If shit does come out, no one is going to lose their job because they didn't guess secret information. Unless you're a principal in the company, I'd just do a good job and not worry about it.
posted by lupus_yonderboy at 2:42 PM on September 5, 2013 [2 favorites]


Kinda makes me wonder about the NSA's "Security Enhanced Linux" project....

SELinux makes sense to me. If they set up a TLS backdoor that enables them to fetch keys from my Linux-Apache server, then it's in their interest to make sure that same vulnerability doesn't enable further exploitation of my server by another party. They can do the proverbial get-in-get-on-with-it-get-it-over-with-and-get-out, while the script kiddie who discovers the same vulnerability can't take over my machine for his own purposes and risk getting my attention.

tldr: I doubt SELinux is itself compromised. It's in the NSA's interest for it not to be.
posted by ocschwar at 2:45 PM on September 5, 2013 [1 favorite]


http://cryptome.org/2013/07/intel-bed-nsa.htm

It's worth noting that the maintainer of record (me) for the Linux RNG quit the project about two years ago precisely because Linus decided to include a patch from Intel to allow their unauditable RdRand to bypass the entropy pool over my strenuous objections.
posted by clorox at 2:50 PM on September 5, 2013 [24 favorites]


You have to step back and admire the artistry, the depth, the sheer fucking gall on display here.

- On one end, break into the endpoint computers (TAO, a lovely acronym for Tailored Access Ops).
- Twist the arms of the carriers to give it to you.
- Force the implementers to hand over the master keys.
- Introduce back doors into the implementations.
- Subvert the designs of the protocols at inception.

At this point, I agree that Satoshi Nakamoto is likely to turn out to be a long term honeypot operation, and bitcoin mining is probably what provided the power to break 1024-bit RSA...

Paranoid, or just not paranoid enough?
posted by RedOrGreen at 2:50 PM on September 5, 2013 [18 favorites]


What did all you outraged folks think NSA actually did before you saw this story? Sit on their hands and wait for someone to hand them some plaintext messages from foreign governments?
posted by kiltedtaco at 2:53 PM on September 5, 2013 [4 favorites]


You know, it seemed to me about a decade ago that there were two competing views of the NSA. From one perspective, it was a government agency charged with protecting secrets of the US government and businesses from foreign entities. They had lots of funding and smart people, and used that power to ensure we all used the best encryption techniques available.

Or, if you were cynical, you'd think the NSA was using it's influence plant backdoors and subtle cripple encryption technologies so that they could spy on everyone.

It's sad to see which side was right.
posted by heathkit at 2:59 PM on September 5, 2013 [4 favorites]


What did all you outraged folks think NSA actually did before you saw this story?

It's the subversion of the protocols themselves that's really bothering me. Breaking into target computers, subpoenas, even the targeted hacking - that's expected and fine and maybe even necessary to "keep us safe" (TM).

But to subvert a protocol itself and wait for it to be adopted? Now that we know that the employees felt little compunction in going fishing for LOVEINT? When they sell those to other interested parties for cash, there's no recovery from that.
posted by RedOrGreen at 3:01 PM on September 5, 2013 [9 favorites]


What did all you outraged folks think NSA actually did before you saw this story? Sit on their hands and wait for someone to hand them some plaintext messages from foreign governments?

This outraged guy assumed the worst. That does not make this any easier. Understand this is not just them trying to decrypt with a huge technology investment - they are actively trying to make the system it self less reliable. If it was just about spending $100bil to decrypt thats pretty much still the exclusive domain of the USA. If you make the underlying systems less robust, you are making it accessible to a lot more people.

And its not like we have seen evidence that their internal controls are actually robust.
posted by H. Roark at 3:01 PM on September 5, 2013 [5 favorites]


> What did all you outraged folks think NSA actually did before you saw this story?

We thought they were doing much as they are in fact doing. Now we know.

I should add that before recently, publicly saying what you "thought" they were doing generally led to accusations of paranoia and anti-Americanism.

And actually, even those of us who are old and jaded are shocked by the extent of their activities.
posted by lupus_yonderboy at 3:02 PM on September 5, 2013 [23 favorites]


"What did all you outraged folks think NSA actually did before you saw this story? Sit on their hands and wait for someone to hand them some plaintext messages from foreign governments?"

I'm a foreigner, so grain of salt and all that, but I think most people assumed the NSA mostly confined itself to spying on communications made by the citizens of other countries. Not the US.

What Snowden has revealed (in several different ways) is that you can't really separate "domestic" communications from "foreign" in today's world. So to do its job, the NSA has been developing the capability to spy on everybody.
posted by Kevin Street at 3:03 PM on September 5, 2013 [4 favorites]


kiltedtaco: I hoped they were specifically targeting legitimate targets. Even that TAO program seems legit - with proper oversight, of course – if it's used on identified suspects.

The difference is that unlike introducing system or protocol-level back doors, those techniques don't weaken security for everyone else. Would you be downplaying news that, say, master lock gave everyone one of 4 keys because the FBI didn't like having to hire locksmiths?

The other major concern is scale: this infrastructure is perfect for setting up a police state as soon as someone shows up with the will to try. More targeted attacks don't result in millions of other peoples' data sitting around until the will to misuse it arises.
posted by adamsc at 3:15 PM on September 5, 2013 [1 favorite]


Oh, and more targeted work wouldn't become a major threat to one of the strongest parts of our economy. Every non-US IT firm just got a huge boost from our government.
posted by adamsc at 3:17 PM on September 5, 2013 [1 favorite]


FWIW, Schneier posted a link to his Guardian pieces on his blog and is responding to questions in the comments.
Remember this: The math is good, but math has no agency. Code has agency, and the code has been subverted.
although his response to one question suggests that he considers some of the math potentially suspect too:
"On the crypto bits in your guardian piece, I found especially interesting that you suggest classic discrete log crypto over ecc. I want to ask if you could elaborate more on that."

I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.
posted by We had a deal, Kyle at 3:20 PM on September 5, 2013 [4 favorites]


Bruce Schneier, today:
"We should expose. If you do not have a security clearance, and if you have not received a National Security Letter, you are not bound by a federal confidentially requirements or a gag order. If you have been contacted by the NSA to subvert a product or protocol, you need to come forward with your story. Your employer obligations don't cover illegal or unethical activity. If you work with classified data and are truly brave, expose what you know. We need whistleblowers.

"We need to know how exactly how the NSA and other agencies are subverting routers, switches, the internet backbone, encryption technologies and cloud systems. I already have five stories from people like you, and I've just started collecting. I want 50. There's safety in numbers, and this form of civil disobedience is the moral thing to do."
I don't follow Schneier closely, so I don't know if this share-your-secrets stance is new or not.

(Also, I love the fact that the leaked documents use the word "gobsmacked".)
posted by compartment at 3:21 PM on September 5, 2013 [33 favorites]


more targeted work wouldn't become a major threat to one of the strongest parts of our economy

This is a point that gets lost in the rhetoric so easily but is critical. I work for a startup whose business model does not rely on our customers trusting us with their personal information on the web, but if we did, I would be seriously worried now. There will be real fallout to these revelations of pervasive subversion for the purpose of surveillance and one bellwether might unfortunately be the decreasing willingness of investors to finance American companies which do rely on the internet's web of trust to secure customer interactions. This describes the majority of companies doing business on the internet and the risk of kicking off another tech recession is real. This would be a different kind of recession, too, because it would be self-inflicted and the money won't have disappeared in the market, it would be going into other companies, elsewhere.
posted by feloniousmonk at 3:26 PM on September 5, 2013 [4 favorites]


This describes the majority of companies doing business on the internet and the risk of kicking off another tech recession is real.

This is a strong possibility. Expect the executive branch eventually to figure this out and make promises to rein in the NSA's internet surveillance -- promises that rightfully won't convince anyone, because they've shown themselves willing to lie about anything they do. The only way to fix the damage now is disband the NSA, because no one trusts anything the government has to say about this.
posted by JHarris at 3:35 PM on September 5, 2013 [1 favorite]


Microsoft's _NSAKEY dates back to 1999, which certainly seems to fit in line with the timelines described in the articles.
posted by jenkinsEar at 3:38 PM on September 5, 2013 [2 favorites]


I bet the NSA Yanks came up with the Civil War convention

I can only imagine all the similarly-dreary project codenames the GCHQ has had to put up with over the years!
posted by clorox at 3:39 PM on September 5, 2013


I'm dismayed at how aggressively NSA has worked to undermine American businesses. Why would anyone trust products made by Intel, Microsoft, or AT&T knowing those companies have cooperated with NSA to subvert their product's security? And not just American business; German companies, too. it's bad enough if the weakened products are now open to NSA, but the real risk is someone else can exploit the same weakness NSA installed.

So now we have new confirmation of suspicions that NSA has been subverting software. It's a strong argument for only using open source code for anything you want to keep secure or private. Not a panacea, but it's a lot harder to slip a secret back door in when the code is open. But that's only a solution for software; open source hardware and firmware is a lot harder to come by.

A couple of years ago there was an effort to change Linux so its source of secure random numbers relied heavily on Intel's undocumented black box for generating random numbers. It was Linus' decision, and at the time the random number maintainer quit over it. Ted Ts'o later reverted that change, using Intel's supposedly random numbers in a much safer way.
posted by Nelson at 3:41 PM on September 5, 2013 [6 favorites]


A couple of years ago there was an effort to change Linux so its source of secure random numbers relied heavily on Intel's undocumented black box for generating random numbers. It was Linus' decision, and at the time the random number maintainer quit over it.

This was discussed up-thread.
posted by Blazecock Pileon at 3:43 PM on September 5, 2013


Also, from a certain viewpoint this is one of the most amazing and fantastic things I've ever heard.

The scope, the imagination, the levels of dedication, and the sheer chutzpah needed to pull something like this off are all remarkable in their own rights. I am both awed and morbidly elated.
posted by clorox at 3:45 PM on September 5, 2013 [2 favorites]


I want to know more about the targeting of routers and other network infrastructure, and the extent to which Cisco has been compromised by NSA.

I also feel vindicated for going with Mikrotik over Cisco. Sure, they may be compromised too, but at least I'm only paying 1/10 as much for the illusion of security.
posted by [expletive deleted] at 3:48 PM on September 5, 2013 [7 favorites]


SETEC ASTRONOMY
posted by thewalrus at 3:55 PM on September 5, 2013 [1 favorite]


dammit thewalrus, I was just going to post that...
posted by daq at 3:57 PM on September 5, 2013


So this is the year of Linux on the desktop?
posted by klarck at 3:59 PM on September 5, 2013 [11 favorites]


I no longer trust the constants. I believe the NSA has manipulated them through their relationships with industry.

As someone with a little bit of a security background, this statement is absolutely bloodchilling, coming from Schneier.
posted by CrystalDave at 4:02 PM on September 5, 2013 [30 favorites]


[Sep 5, 2013] kiltedtaco - What did all you outraged folks think NSA actually did before you saw this story? Sit on their hands and wait for someone to hand them some plaintext messages from foreign governments?

[May 5, 2013] kiltedtaco - I don't believe this (at least the gist of "every phone call in the US is recorded") ... The sheer number of installations means that a lot of people would know about this. ... I'm ok with assuming NSA-omnipotence when it comes to data storage and computing power, but keeping widely-dispersed controversial secrets is much much harder.
posted by crayz at 4:08 PM on September 5, 2013 [24 favorites]


I get it, the NSA's job is to break encryption. And pragmatically I could be accept that. But what shockingly poor opsec that a basic contract sysadmin can learn of and exfiltrate all of this. Even if I trusted them to only use the power against honest-to-god ticking-time-bomb terrorists, they can't be trusted to keep it secret, keep it safe.
posted by These Premises Are Alarmed at 4:10 PM on September 5, 2013 [5 favorites]


crayz: Ouch. That's got to sting.

Looks like we've just gone down the rabbit hole. I'll be looking forward to see if the NSA tries to attend the next IETF meeting.
posted by pharm at 4:11 PM on September 5, 2013


What creeps me out about this most, is that Snowden was one of thousands (tens of thousands?) of individuals that had access to the NSA files he absconded with. He seems to have been a well-intentioned whistleblower who has only shared stuff with the press. But that means there could be dozens or even hundreds like him who are less well-intentioned and are, as we speak, selling secrets to the highest bidder.

I am not clear that Snowden had any access to the actual crypto-busting technologies he disclosed the existence of, just the evidence they exist. But there would be a non-trivial number of people who would have access to them, and it only takes one unscrupulous individual to sell it out to other governments, organized crime, super villians etc.

So it's not just the supposedly good-guys at the NSA we have to worry about rifling through our digital stuff, it could be anybody. Thanks guys.
posted by jetsetsc at 4:11 PM on September 5, 2013 [16 favorites]


This is the part that gets me:
Earlier this year, the program found ways inside "some of the encryption chips" used by businesses and governments, either by working with chipmakers to insert backdoors or by surreptitiously exploiting existing security flaws, the NYT said.

So, um, yeah. I am very curious as to which chips they are referring to. Really makes me question the Secure Computing initiative that Microsoft has been pushing the past several years.

I always wondered if part of the MS anti-trust settlement wasn't used as leverage to get more and more access to subverting these technologies.

I wonder how long until 3D printing technology advances to the point where someone can fab their own chips. Sure, it might not be the latest and greatest, but at least it will be, um, secure?

I am also wondering how long until I absolutely have to write my own OS.
posted by daq at 4:20 PM on September 5, 2013 [1 favorite]


I am also wondering how long until I absolutely have to write my own OS.

I think this was the point behind Trusting Trust, that it's never enough.
posted by CrystalDave at 4:22 PM on September 5, 2013 [6 favorites]


You should now consider AES compromised. You can't trust NIST.
posted by eriko at 4:23 PM on September 5, 2013 [7 favorites]


Frankly the revelations by Snowden and Manning and the scope of people with access to those secrets who said nothing has really caused me reevaluate my standard "conspiracy theories are extremely implausible on their face because *someone* involved would always talk."

In the context of these two incidents it can be seen as anecdata, but in the context of the millions who had access to this information and said nothing, it can be seen as strong statistical evidence that human nature means a properly engineered "conspiracy" can be pulled off within an organizational hierarchy such that:
a) most participants don't see themselves as "members of a conspiracy", just people who knows things "we" know and "they" aren't allowed to know and
b) essentially no one will tell the public those secrets, even if as a member of the public many of them would agree with the idea that they have a right to know
posted by crayz at 4:24 PM on September 5, 2013 [21 favorites]


On the plus side, I guess Matt can yank the SSL Everywhere option now.
posted by These Premises Are Alarmed at 4:26 PM on September 5, 2013


The Bruce Schneier opinion piece compartment links to is really worth reading, if you haven't seen it yet. It's a call to arms for engineers (and everyone else) to push back against this trend and start dismantling the surveillance state.

My favorite part:
Three, we can influence governance. I have resisted saying this up to now, and I am saddened to say it, but the US has proved to be an unethical steward of the internet. The UK is no better. The NSA's actions are legitimizing the internet abuses by China, Russia, Iran and others. We need to figure out new means of internet governance, ones that makes it harder for powerful tech countries to monitor everything. For example, we need to demand transparency, oversight, and accountability from our governments and corporations.

Unfortunately, this is going play directly into the hands of totalitarian governments that want to control their country's internet for even more extreme forms of surveillance. We need to figure out how to prevent that, too. We need to avoid the mistakes of the International Telecommunications Union, which has become a forum to legitimize bad government behavior, and create truly international governance that can't be dominated or abused by any one country.
posted by Kevin Street at 4:31 PM on September 5, 2013 [5 favorites]


> b) essentially no one will tell the public those secrets, even if as a member of the public many of them would agree with the idea that they have a right to know


There is a strong narrative present in media about those who "betray secrets" of any large organization in which not only do those betrayers suffer the unspeakable, but so do their friends and families...

I suspect that narrative along with the knowledge and exposure of much of what the US has done along the lines of Gitmo and the like, added to the very strong and threatening language in these documents, makes the potential price of doing so much greater than just sacrificing ones self, and becomes a moral horizon many could not cross.

I would have thought that to be excessively unlikely in years past, but I cannot deny it now.
posted by MysticMCJ at 4:31 PM on September 5, 2013 [1 favorite]


I honestly have no idea what sort of contradiction you're trying to catch me in, but thanks for retreading my insightful and informative posting history. Nothing we have learned since then has contradicted my statements.
posted by kiltedtaco at 4:33 PM on September 5, 2013


Another thought. Now that we know for sure that these exploits are there, how long until the hackers find them? That will be the real fun. Seeing how long until someone reverse-engineers these hacks and broken locks and the zero day exploits start rolling in from all over the place.

It was one thing when it was just speculation and the occasional security expert stumbling across a "bug" in a system. But now it is known that the "bugs" were intentionally put there.

Anything you can think of, your enemy can think of too.
posted by daq at 4:34 PM on September 5, 2013 [5 favorites]


The perverse thing is that the NSA and the American government (and a big chunk of the media) are going to look at this and say, "Snowden hurt America by telling malefactors that these exploits exist" and it will never occur to them that they hurt America by putting the exploits there in the first place.
posted by Kevin Street at 4:39 PM on September 5, 2013 [18 favorites]


Anything you can think of, your enemy can think of too.

Externals are slow.
posted by effugas at 4:46 PM on September 5, 2013


You should now consider AES compromised.

The NSA certifies AES for US government encryption of top secret data... why would they sabotage the encryption and then recommend it to the people they supposedly work for?
posted by Noisy Pink Bubbles at 4:54 PM on September 5, 2013


I think a fair bit of this outrage is that for a long time, we had this academic and libertarian ideal about the structure of our modern communication systems. Information wants to be free! The Internet routes packets around damage and taps! We placed a great deal of trust in the idea that if RSA and Diffy-Hellman say that an algorithm can't be cracked before the heat death of the universe, then it's good enough to trust. For decades, we were told that the state of the art against these algorithms involved psychological trickery, torture, or bugs in implementation. Don't put your passphrase on a sticky note, use a randomly generated passphrase, and you'll be fine. The U.S., foreign governments, and organized crime were all on the same playing field in that regard.

Now it looks like all of that was wrong.
posted by CBrachyrhynchos at 4:55 PM on September 5, 2013 [2 favorites]


The NSA certifies AES for US government encryption of top secret data... why would they sabotage the encryption and then recommend it to the people they supposedly work for?

Note, though, that windows has to be specifically configured to restrict ciphers on your machine to those that are FIPS compliant with the "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" policy setting.
posted by bfranklin at 5:21 PM on September 5, 2013


Now that we know for sure that these exploits are there, how long until the hackers find them?

Related to that: my first thought is, how many of the security holes in the average bank's or even nuclear power plant's computer systems were intentionally introduced by our own government? As far as cyber warfare goes this seems like shooting ourselves, in a rather Elmer-Fudd-like fashion.
posted by XMLicious at 5:21 PM on September 5, 2013


Based on the history of espionage, anything the NSA has is just a bank deposit away from also being in the hands of the Russians, Chinese, North Koreans, etc.

No, I'd assume it already is. And by "the Russians", I assume you include the Russian Mafia, which is almost a governmental agency under Putin.

To be fair to the bogeyman, they proper kept this shit under wraps for years.

At least from The Public, who as common practice is always the Last to Know.

The perverse thing is that the NSA and the American government (and a big chunk of the media) are going to look at this and say, "Snowden hurt America by telling malefactors that these exploits exist" and it will never occur to them that they hurt America by putting the exploits there in the first place.

Which is a BIG LIE, because the SMART malefactors have probably gotten this info and begun using it long ago, and the NSA's less-than-competent handling of their mountain of data has kept them from finding the leaks, and bureaucratic survival tactics has kept them from doing anything overt to admit that they found anything.

The NSA certifies AES for US government encryption of top secret data... why would they sabotage the encryption and then recommend it to the people they supposedly work for?

Why would you assume the NSA works for them and isn't the entity giving the orders?
posted by oneswellfoop at 5:28 PM on September 5, 2013


we were told that the state of the art against these algorithms involved psychological trickery, torture, or bugs in implementation . . . Now it looks like all of that was wrong.

No, it was accurate to the highest degree, as that is exactly where state-of-the-art thinking led.
posted by clorox at 5:29 PM on September 5, 2013 [2 favorites]


Why would you assume the NSA works for them and isn't the entity giving the orders?

You're alleging a shadow government inside the NSA? That seems farfetched.

I mean, I know some of our assumptions have been blown out of the water today, but that statement requires a pretty high burden of proof.
posted by Noisy Pink Bubbles at 5:35 PM on September 5, 2013


Seems like the US government is almost certainly one of the NSA's primary espionage targets- that's where their money comes from. They're spies. There's perennial problems with people spying on their boyfriends and girlfriends- you can believe they're checking out the folks writing the checks.

Making sure they can read congress's mail is an important part of that process.

The thing is, they can deny it- maybe they aren't spying on congress. But we will never really know, and we can't trust them to tell the truth- they've been caught in baldfaced lies to congress a few months ago.
posted by jenkinsEar at 5:42 PM on September 5, 2013 [7 favorites]


It just seems impossibly unlikely to me that they aren't spying on elected officials. I don't know if that constitutes a shadow government, and it certainly is not an unprecedented power move in American politics, but it's honestly pretty terrifying to contemplate due to the nature of the power and its reach.
posted by feloniousmonk at 5:46 PM on September 5, 2013 [5 favorites]


From the NYTimes article:
In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world. . . .

the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.

According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.”
Can I just say, for the record*, that all of this activity--subverting of standards, requiring companies to weaken their encryption or insert backdoors, stealing keys, altering or requiring alteration of software in order to create backdoors or weaken security--should be illegal in the highest degree and those who authorized and perpetrated these activities should be disgraced and thrown in the slammer for a few decades.

*Not that I have any faith at all that this will happen, but--just as with those who authorized and perpetrated torture--we as citizens should clearly state that this is illegal and unconscionable, past perpetrators should be punished severely, and it should be made perfectly clear that anyone undertaking this type of activity in the future will be held accountable via our legal system.

I mean, target individuals as needed and as authorized (in limited manner with serious oversight) by courts. And spend time looking for existing weaknesses in security systems that can be exploited--do those sorts of things all you want. We could all see those types of things as the jobs of our security services.

But deliberately inserting weaknesses and backdoors is a crime of most serious nature against our national (and world) economy and security. Mass surveillance of the entire society falls into the same category. They are--or should be--both unconstitutional and illegal.

These crimes should be clearly called out for what it is and punished accordingly.

posted by flug at 5:47 PM on September 5, 2013 [16 favorites]


I'm in 100% agreement with you, flug. It is expressly the NSA's job to attempt to crack crypto algorithms and decrypt the communications of foreign powers/agents. Their job is to make us more secure by increasing our knowledge, ideally so that we (by we I mean our elected leaders, and to a lesser degree the public, after the fact) can make more informed decisions.

It is not their job to make us less secure by backdooring crypto systems, routers, or anything else. If they want the data, at least tap the fucking fiber. Attack the physical layer so you don't introduce weaknesses in the layers above that can then be exploited by any curious george who looks in the right place. It is likely the case that there is no legal remedy at this point, though. Especially if it's as bad as feared and there are backdoors coming from the factory, not inserted as a result of later exploitation.

The liability for device manufacturers who were involved in planting any backdoors could be enormous, however. Expect Congress to pass a law freeing them from any responsibility for their complicity, lest we see a wave of corporations collapsing under the weight of a trillion dollars or more of damages.
posted by wierdo at 6:17 PM on September 5, 2013 [5 favorites]


The NSA certifies AES for US government encryption of top secret data... why would they sabotage the encryption and then recommend it to the people they supposedly work for?

So they can decrypt all government communications and use juicy bits for blackmail?

One would think there would be somebody with a terminal disease and no family who would speak up, though.
posted by anemone of the state at 6:23 PM on September 5, 2013 [1 favorite]


The liability for device manufacturers who were involved in planting any backdoors could be enormous, however. Expect Congress to pass a law freeing them from any responsibility for their complicity, lest we see a wave of corporations collapsing under the weight of a trillion dollars or more of damages.

This is the closest I'll get to conspiracy theorizing - I would expect those get-out-of-jail cards have already been handed out, in secret.
posted by These Premises Are Alarmed at 6:36 PM on September 5, 2013 [3 favorites]


With all respect to Schneier, there's no way to fight it. The idea of the free internet beyond the control of governments around the world was always a techno-fantasy, and now that the curtain is pulled and we know the NSA, with the full backing of the executive branch if not the entirety of congress, is willing to bring the full power of the state, threatening imprisonment, use of bribery, the full range of spycraft, and who knows, maybe even the threat of death or torture against those who won't kneel and reveal the encryption codes, that fantasy is dead. Power always resides with the people that have the guns and are willing to use them, and the NSA is now apparently willing to treat Americans as valid targets. There's no fighting that short of full fledged insurrection, which is a non-starter in a country where most everyone still has food, housing and a job.
posted by T.D. Strange at 6:43 PM on September 5, 2013 [5 favorites]


You're alleging a shadow government inside the NSA? That seems farfetched.

I mean, I know some of our assumptions have been blown out of the water today, but that statement requires a pretty high burden of proof.


Look at the current make up of Congress. They're literally not capable of passing basic bills to keep the lights on at the Post Office, much less overseeing a vast, omnipresent international surveillance apparatus. Someone is pulling the strings, and it's not John McCain or Michele Bachmann.

The idea of a shadow defacto military coup led from the NSA and/or intelligence community is sadly not something we can dismiss out of hand anymore.
posted by T.D. Strange at 6:52 PM on September 5, 2013 [4 favorites]


But what happens now that we the American citizenry and the rest of the world have all this evidence? So far the government hasn't really given a fuck that this information is out in the wild, short of losing their minds that they can't catch Snowden at the moment.
posted by straight_razor at 6:52 PM on September 5, 2013


So should I just start assuming everything I touch with an on/off switch is compromised at the hardware level, so's to save some time when this Internet Of Things I keep hearing about comes round?
posted by PMdixon at 6:54 PM on September 5, 2013


With all respect to Schneier, there's no way to fight it.

Look at the future from the perspective of game theory, with recursively forking possibilities.

Are the possible futures where the bad guys win even worth living in?
Wouldn't you rather have a future where you at least tried to fight them?
posted by anemone of the state at 6:56 PM on September 5, 2013 [8 favorites]


I am reminded of this paper from 2012: Mining your Ps and Qs: detection of widespread weak keys in network devices which discovered a range of weaknesses in deployed ssh and tls keys due to "insufficient entropy", "entropy problems", "insufficient signature randomness", etc. They actually factored a nontrivial number of RSA and DSA keys as a result. If you imagine that the source of these key generation deficiencies is systematic rather than accidental, the designer of the deficiency could factor well more than 1% of the defective keys.

My crazy viewpoint: unless the NSA has subverted physics, it is possible to build modest-rate hardware random number generators (e.g., 200kBit/s), and whatever operations are subverted in our CPUs, 8-bit XOR is not one of them. Let's just use one-time pad cryptography. Of course, we'll have to exchange our one-time pads in person with anyone we want to communicate with, but that's life.
posted by jepler at 6:58 PM on September 5, 2013 [6 favorites]


Someone is pulling the strings, and it's not John McCain or Michele Bachmann.

The idea of a shadow defacto military coup led from the NSA and/or intelligence community is sadly not something we can dismiss out of hand anymore.


Really? Wouldn't a more likely explanation for the subservience of Congress to business interests be capitalism (of which the NSA-industrial complex is a small part)? I don't think it's necessary to conjure up an all-powerful-NSA conspiracy theory.
posted by Noisy Pink Bubbles at 7:02 PM on September 5, 2013 [2 favorites]


I don't think it's necessary to conjure up an all-powerful-NSA conspiracy theory.

Not necessary, but it sure is fun. I'm working on the Vince Foster/Area 51 angle.
posted by nightwood at 7:11 PM on September 5, 2013 [1 favorite]


Maybe the time has come to accept that the internet is just another public place and that opening your laptop is akin to opening your front door.
posted by cacofonie at 7:13 PM on September 5, 2013


Oh, they don't need you to open your laptop. From Ars Technica:
Researchers teach Wi-Fi to “see,” identify gestures

The team, led by Assistant Professor of Computer Science and Engineering Shyam Gollakota, developed a system dubbed WiSee, which uses radio waves from Wi-Fi to sense human body movements and detect command gestures from anywhere within a home or office.

...

By using multiple antennas and a Wi-Fi receiver with multiple input multiple output (MIMO) capability, WiSee can "lock on" to a specific user with an antenna from among a group of other people in a space.

...

WiSee can "see" through walls, making it more practical for applications like home automation as well as the usual Minority Report-like interactions with media and computing devices.
If you have a Wi-Fi router its beady little antennae are watching you. So if the NSA had a back door built into it they're able to watch you too. (Video demonstrating the system available at the second link.)
posted by XMLicious at 7:30 PM on September 5, 2013 [4 favorites]


cacofonie: "Maybe the time has come to accept that the internet is just another public place and that opening your laptop is akin to opening your front door."

The Internet as a whole is a public place and always has been, just like the physical world defaults to being public. What's new is that we have learned that there are few to no private places on it. It was assumed that crypto would keep your data from prying eyes. That has great implications for the usefulness of the network going forward. We need to be able to send, store, and process sensitive information using the network to reap its full benefit.

If I were in charge of IT security, I'd be having a heart attack right now, thinking of the difficulty and expense of migrating back to point to point leased lines instead of VPNs. At least with the leased line you (probably) don't have to worry about someone other than the NSA or the phone company listening in, especially if you also use crypto over that link.

I'm not so sure it's completely impossible to have strong crypto on the Internet anyway. You can't really do it with Windows because the attack surface is too large no matter what you do, so all the crypto in the world won't save you when the keylogger captures your password, but if you don't mind communicating sensitive information using command line tools on a computer running as few services as possible and using vetted crypto algorithms and not using any hardware crypto acceleration it is likely possible to keep the NSA out at least for a while. They can't turn their brute forcing machines on everyone, at least not yet. Nor do they appear to have any radically advanced methods of cracking RSA or DSA or likely even AES (assuming a not-broken implementation, anyway). Otherwise, they wouldn't be bothering to plant backdoors in crypto software and in embedded hardware.
posted by wierdo at 7:34 PM on September 5, 2013 [2 favorites]


CheeseDigestsAll: "Based on the history of espionage, anything the NSA has is just a bank deposit away from also being in the hands of the Russians, Chinese, North Koreans, etc."

Extortion, blackmail, torture and death threats are dirt cheap.
posted by double block and bleed at 8:09 PM on September 5, 2013 [1 favorite]


odinsdream, I think this is too large for most people to understand. I barely begin to grasp what it means, as a non-IT person. And perhaps also there is a feeling that, well, if we're all equally compromised, then what does it matter?

In other words, if you want to whip up outrage, give people an example of Bad Shit that could/will happen as a result of this, to them.
posted by emjaybee at 8:10 PM on September 5, 2013 [1 favorite]


Tomorrow morning I was supposed to go explain why my systems were slow and yet busy today. Now I can just blame the NSA!
posted by wenestvedt at 8:13 PM on September 5, 2013


I understand that most of this is impossible for the typical internet user. Even I don't use all these tools for most everything I am working on. And I'm still primarily on Windows, unfortunately.

And despite all this Bruce Schneier is still using Windows. The fuck?
posted by euphorb at 8:15 PM on September 5, 2013 [1 favorite]


To put it in physical security terms, they've tampered with all of the locks from an unknown but large number of manufacturers such that they all share a master-key-combination. (Even the Yale locks.) A number greater than zero of people know this combination.

Sooner or later someone will get this combination who has more pedestrian interests than spying will get it. If they don't already. As a non-security, non-IT person who reads a lot, I think the most straightforward and obvious to exploit would be the Certificate Authority keys? This would basically allow anyone who had the key to issue certificates saying that yes, they are Chase/BoA/Lloyds/HSBC/DeutscheBank, so please go ahead and enter your login information. And assuming they spoof the site correctly, there will be nothing you can do to detect it.
posted by PMdixon at 8:17 PM on September 5, 2013


In other words, if you want to whip up outrage, give people an example of Bad Shit that could/will happen as a result of this, to them.

It would be kinda cool to have a program (open source and not dialing out to someone else) that you can leave running in the background that lists everything you've done in the time it was running that the NSA could reasonably compromise, with detailed but accessible information about each type of intercept you ran the risk of and how likely it is that they have the capability. Fake spy on yourself to see just how pervasive it is.
posted by jason_steakums at 8:21 PM on September 5, 2013




As an IT professional, this scares the crap out of me. Sure, we've always guessed that governments had capabilities we didn't know about, that the NSA could pretty much crack anything they wanted to look at, and so on.

But now we know they've been fucking with the infrastructure, all the way up and down the stack. Everything is weaker than we thought it was, and some people have known about this for YEARS. How much do you want to bet that Snowden is really and truly the first person to leak this stuff, instead of just the first to do it publicly?

As has been pointed out above, BULL RUN is not a single master key, but many different capabilities of many different kinds. In other words, many secrets that can go astray. So who has what pieces that they aren't supposed to have? How long have they had them and what have they already done? People trust me with their data. What am I supposed to tell them?

I guess I could be considered a "neckbeard". But I'm not smug about this.

I'm fucking terrified.
posted by Zimboe Metamonkey at 8:33 PM on September 5, 2013 [11 favorites]


i'm not suprised.
posted by cupcake1337 at 8:33 PM on September 5, 2013


As an aside, this kind of makes all of the brouhaha over counterfeit hardware in the past several years kind of silly. You know, because they told us counterfeit hardware might have backdoors in it.
posted by Noisy Pink Bubbles at 8:40 PM on September 5, 2013 [5 favorites]


What am I supposed to tell them?

"Please hold while I rebuild your modern computing infrastructure from the metal up"?
posted by PMdixon at 8:41 PM on September 5, 2013 [6 favorites]


ummm by the way you misspelled guardian
posted by flyinghamster at 8:47 PM on September 5, 2013


The thing is, it's almost certainly not just the NSA, and not just in America. We have to assume that any piece of software or hardware from any country has similar backdoors in it. Running to put your secret data in a system in another country won't do any good, because everything is most likely compromised.

Really, the only thing to do is abandon the internet and all electronics that handle data, and rebuild everything from the ground up. And that simply just can't happen.
posted by happyroach at 8:48 PM on September 5, 2013 [1 favorite]


odinsdream (and others) do we really believe that security in other nations in Eurrope, or in Canada, is better, that these backdoors/keys are unique to the US?

Maybe that is a dumb question, but given that most businesses are fairly clueless about encryption and security beyond the basics, and need to keep doing business, and haven't yet had competitors rip off their proprietary info and use it against them (which I assume is one thing they need secrecy for), are they really going to do anything? Or feel that they can do anything?

If I owned Giant PharmaCorp, in other words, would I really believe that not doing business with a US company (which may be impossible) would keep me safe? Or would I just assume that we are all fucked and hope the bad shit, whatever it might be, doesn't hit me too badly or at all?

What does this datapocalypse look like, in other words?
posted by emjaybee at 8:51 PM on September 5, 2013 [1 favorite]


You really have to hope that there is some kind of magic quantum crypto waiting in the wings, otherwise, Pandora's box may be opening. We might find ourselves able to point to tanking shares in Apple, Google, etc. as the real world impact of these revelations. If there's nothing to replace what's been revealed as a sham, things are going to get really interesting.

It may not happen for awhile, but it's now only a matter of time until a massive identity theft or other fraud ring is linked to one of these backdoors and once that happens, the kind of crime that has that visceral personal hook these stories lack. I'm afraid the bottom will fall out when that happens.
posted by feloniousmonk at 8:53 PM on September 5, 2013 [5 favorites]


If I owned Giant PharmaCorp, in other words, would I really believe that not doing business with a US company (which may be impossible) would keep me safe?

IANAL, but I suspect liability looks quite different for doing business with someone you know is compromised vs someone who's just probably compromised. So it's not just about being safe, it's about what you can say you did and didn't know.
posted by PMdixon at 8:53 PM on September 5, 2013 [5 favorites]


ummm by the way you misspelled guardian

As is the custom.
posted by We had a deal, Kyle at 8:54 PM on September 5, 2013 [9 favorites]


US-based systems are a known liability now, while others are only a potential liability. On preview: what PMdixon said.

For what it's worth, I doubt this will be the death of the Internet, or a major economic crash. But it is a kick in the balls. As a country, we really didn't need that, especially not right now.
posted by Zimboe Metamonkey at 8:59 PM on September 5, 2013


According to one of the leaked documents BULLRUN is up and running in the US, soon to be implemented in the UK, and is "expected" to be implemented in Canada, Australia, and New Zealand.
posted by clorox at 9:00 PM on September 5, 2013


From a few months ago, but relevant to the latest leak

How the NSA, and your boss, can intercept and break SSL
posted by nightwood at 9:01 PM on September 5, 2013


Apropos of nothing, I'm genuinely surprised that ANZAC and Canada are in on it. I wouldn't have expected the non-Indian Anglosphere to be a meaningful unit in this context.
posted by PMdixon at 9:03 PM on September 5, 2013


I am also wondering how long until I absolutely have to write my own OS.

I think this was the point behind Trusting Trust, that it's never enough.
I also linked this in one of the previous threads, even with open source software, you can't be absolutely certain that the machine code is what you expect from the source code. Except I was a god damned fool, I thought that even though it was possible, that the government wouldn't have done something so disastrous as backdoor everything in multiple products, something that has the potential to destroy the US tech sector. We don't know if the maintainers of GCC or Clang were coerced into compromising their compilers, or if their machines were compromised and such hacks inserted. But in any case, the compiler attacks could potentially be gotten around by revisiting areas of key sensitivity such as pseudo random number generators and making sure they have a completely unrecognizable abstract syntax tree. The back door in Intel's hardware random number generator can be gotten around by feeding it into a pseudo random number generator. But unless we know exactly what's been attacked, it's hard to know what needs to be reworked, except everything, from scratch. Who wants to start building a new compiler, carefully tracking the exact series of self-compilations in a manner verifiable by others?

I've noticed a trend in security companies; they are either huge and already implicated in this scandal, or they are tiny and flit in and out of business. I was trying to buy an EntropyKey a while back in order to get real random numbers, but I could never get in touch with them because they just fell completely off the map shortly before I could order. The web site's there, but they're no longer shipping devices, and the phone number doesn't work. Nobody has received one in months. Lately I've been looking for USB dongles that emulate Smart Cards, or similar devices, and nobody is around any more, or they're an obscure overseas company, with a primary language that isn't English. Nothing wrong with being non-US, it's just rare that in a tech field that there's no US companies providing an equivalent product. RSA, the US company, was compromised a couple years ago in a widely publicized attack, perhaps that was government-related as well? In any case, it doesn't matter anymore. Cisco is completely worthless as far as VPNs go, as well as all the products from all the other big guys. I've never felt better about using pfSense as a VPN; not only did we save $100k+ but it's far more likely to be actually secure. Assuming that our random number generators that generated our keys weren't compromised. (HAH!)

It bears repeating again that without an open society, a society where we know that individuals and companies can't be forced to act against their will, there is no security and no privacy. There is security for the NSA, but not for us citizens. If this is the level of information that was available to some random sysadmin schlub at a government contractor and not even a full NSA employee, you have to wonder how much more is going on that we don't even know about that Snowden was not privy to.

I was already somewhat blown away by previous revelations, but I never thought they were doing this much. Never. There is no paranoia that is not deserved, now. Perhaps we can trust the math, but we can't trust our software or our hardware, so the math does us no good.
posted by Llama-Lime at 9:07 PM on September 5, 2013 [34 favorites]


Apropos of nothing, I'm genuinely surprised that ANZAC and Canada are in on it

US + UK + Canada + ANZAC = the Anglo-Saxon axis of evil.
posted by Mister Bijou at 9:10 PM on September 5, 2013


AUSCANZUKUS, technically.
posted by clorox at 9:11 PM on September 5, 2013 [2 favorites]


As an aside, this kind of makes all of the brouhaha over counterfeit hardware in the past several years kind of silly. You know, because they told us counterfeit hardware might have backdoors in it.

alright, i've got a bet on "the actual reason for the hearings was that huawei wasn't backdoored"
posted by junco at 9:12 PM on September 5, 2013 [5 favorites]


I feel like we're the Byzantines and we've just learned that even our biggest Theodosian walls are no match for the latest in gunpowder technology. All of these defenses we've built up over the years are now definitively vulnerable to anyone who is sufficiently determined to invest the effort in destroying them. People were aware of the possibility of this sort of thing in a theoretical and often glib manner before, but now we know in a definitive and actionable way. I hope we can look back at this as a watershed moment on the way to a truly trustworthy public internet rather than the prelude to chaos, but it is incredibly hard to be optimistic in the face of this level of insanity.
posted by feloniousmonk at 9:15 PM on September 5, 2013 [1 favorite]


I was already somewhat blown away by previous revelations, but I never thought they were doing this much.

Be prepared for the revelations to keep getting worse until Greenwald's book comes out.
posted by nightwood at 9:19 PM on September 5, 2013 [1 favorite]


Also, as one of the first comments over on Schneier's blog points out, there are quite a few SV/tech companies funded directly by the US intelligence apparatus, through the CIA's "In-Q-Tel" subsidiary (the example given there was Callminer).
posted by junco at 9:21 PM on September 5, 2013 [2 favorites]


I can only imagine the kind of panic that's taking place in DC over this, especially since there is absolutely no reason to think the end in sight. This makes "but there is oversight" look like an even more laughable defense than it did when it was originally deployed.
posted by feloniousmonk at 9:22 PM on September 5, 2013 [2 favorites]


Here's a list of companies In-Q-Tel has funded (publicly). Reading the company profiles is instructive (and terrifying).
posted by junco at 9:24 PM on September 5, 2013 [2 favorites]


I have no idea why the fuck this isn't breaking news, like interrupt-this-broadcast 24-hour ticker-tape telethon style breaking news.

Seriously. If this story somehow doesn't become the Watergate of our era, with massive political fallout, it basically means that the security state has already won. The way it's being minimized and underreported today is a little baffling to me — but perhaps we can hope that's partly due to the relatively high level of technological literacy required to comprehend it, so that future days' reporting will improve as the journalists themselves begin to understand the massive scale of the story.
posted by RogerB at 9:35 PM on September 5, 2013 [18 favorites]


I have no idea why the fuck this isn't breaking news, like interrupt-this-broadcast 24-hour ticker-tape telethon style breaking news.

Because it implicates large parts of the government and American industry in wrongdoing (including, perhaps, companies that have relations -- ownership, advertising, distribution or otherwise -- with news organizations)?

I mean, yes, it *should* be news. I felt the same way during the previous revelation when it was reported that US companies were getting paid for implementing PRISM, that is, catching them in a lie about not having known about it. It seems to have just passed completely unnoticed... as if all the companies involved just agreed to pretend it didn't happen, and the news went along with it.
posted by Noisy Pink Bubbles at 9:47 PM on September 5, 2013 [4 favorites]


I think that's the thing. Most people have no idea what "encryption" means. They know they're supposed to see a picture of a lock on credit card forms, but that's about the extent of it.
posted by the jam at 9:47 PM on September 5, 2013 [3 favorites]


nightwood: "From a few months ago, but relevant to the latest leak"

But not really as disturbing from an infrastructure standpoint. Faking CA certificates is one thing, and does expose everything that you send to, say, Amazon or your bank, but isn't a widespread capability. Forgeries have thus far mostly been done by either hacking a CA directly or socially engineering them into issuing a certificate. As CAs tighten up and browsers/OSes start tightening up their list of trusted CAs that problem can largely be mitigated.

I don't think the NSA is yet at the point where they care too much about stealing your credit card number, so the actual impact on day to day life is low, because it's a relatively difficult attack, or at least could be.

If the NSA has been quietly slipping backdoors into commercial systems that allow them to do something as difficult to detect as degrade the quality of the system random number generator, they are making it easier for not only themselves to attack you, but also any others who have access to somewhat large amounts of computing resources. (anyone with a credit card now that cloud computing is here) And that's just the least invasive way of them tampering with systems that makes the crypto breakable, but with some difficulty. It's not a total failure of all commercial crypto (and possibly open source as well), but not a whole lot better. In this world, I'm still willing to use my credit card online, but not a debit card or my bank account number, nor my own bank's website if their site allows me to transfer money out.

The references to the capability of getting plaintext directly from devices is what concerns me. Find that back door in one commonly used piece of kit and you suddenly don't even need a credit card, just a computer and and Internet connection, and you've got access to a massive chunk of the traffic passed over VPNs or through Internet-addressable devices. In this world, we should all just go home when it comes to commerce because we can't ever be sure anything is secure, at least until every piece of kit on every Internet-addressable network has been replaced. The only way to securely use it is to send data encrypted on an airgapped machine with protection against USB-based exploits to people who copy the encrypted file onto another airgapped machine and decrypt it there, and that's only after gpg or your favorite other public-key crypto program has been thoroughly vetted. For now we're running on hope and good intentions.
posted by wierdo at 9:49 PM on September 5, 2013 [3 favorites]


Sadly my bet is that most (too many) people won't care. The slow drip-drip of revelations makes each individual bit of news less interesting to the public, less of a surprise. I have to wonder if one giant reveal might not have been more arresting - more of a call to action. As it is, people are going to yawn about two pages into the NYTimes story and forget it by Friday morning. "Are they out of their minds? They let Peyton Manning score five times last night?!"
posted by newdaddy at 9:51 PM on September 5, 2013 [2 favorites]


Since the heady days of ranting about Carnivore and Echelon on Slashdot in '00 or so, being somebody with at least a hobbyist-level interest in comp sec, I haven't been sure that 'paranoia' was even an operative concept in considering NSA's capabilities.

However.

I haven't even processed this completely, but I'm pretty sure that this stuff- the variety and amount of ways they've broken the entire concepts of privacy and secrecy- is beyond even my most fevered imaginings. This story would have been like laughed-off-the-internet-level ravings, serious cuckoo-banana-pants stuff a few years ago, maybe even a few months ago... it's hard to get across the level of mind-fuckery here.

I'll put it this way, to my fellow 'paranoid' amateurs- if Bruce Schneier is surprised*, then either you are too, or else you're just not talking about the same thing.

*or scared shitless, or whatever.
posted by hap_hazard at 9:52 PM on September 5, 2013 [20 favorites]


You're alleging a shadow government inside the NSA? That seems farfetched.

Frankly, I'm having a hard time seeing anything as farfetched any more.
posted by His thoughts were red thoughts at 10:12 PM on September 5, 2013 [2 favorites]


junco: "alright, i've got a bet on "the actual reason for the hearings was that huawei wasn't backdoored".

I have a question. Is it more likely that the US, Canadian and Australian governments excluded Huawei from telecommunications infrustructure projects because they would inevitably become aware of and/or complicit in the surveillance?
posted by bigZLiLk at 10:18 PM on September 5, 2013 [3 favorites]


So is the EFF the good guys here? Seems like they involved in lawsuits against the government to expose more of this stuff. I made a donation in the wake of the Aaron Swartz suicide, and this stuff today has me thinking about donating more. They seem like a somewhat-less-likely-to-get-you-put-on-a-List charity than Wikileaks at least.

(Can you imagine that we now have to make these kinds of determinations these days?)
posted by rustcrumb at 10:53 PM on September 5, 2013 [2 favorites]


Huawei has been involved in UK infrastructure for some time. There have been some warnings about the company, but they have not been excluded. Given the wholeheartedness with which the UK has embraced the US spying project--and the unquestioning loyalty to it that they exhibit--this would not have been let without the US sayso.
posted by Thing at 10:56 PM on September 5, 2013


Is there any indication off the extent to which the other 5 Eyes partners - Canada, Australia, NZ - are involved? I can only find one slender reference (in the ProPublica article) which suggests that they know, but not whether they too are hacking and sending spies into tech companies.
posted by His thoughts were red thoughts at 11:31 PM on September 5, 2013


NSA head releases statement, essentially verifies authenticity of dox: "The stories published yesterday, however, reveal specific and classified details about how we conduct this critical intelligence activity."


Tumblr? Seriously? Also this statement isn't going to be winning any awards for saying things without saying them. Feels rushed, looks like a few positive positives were just narrowly avoided.
Overall: 1.5 Ecclestones out of 20

posted by clorox at 11:34 PM on September 5, 2013 [1 favorite]


Welp, now we know why Obama suddenly cares so much for Syrians.

Timing is *everything*.
posted by armoir from antproof case at 11:45 PM on September 5, 2013 [10 favorites]


"It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into [OpenBSD's] network stack, in particular the IPSEC stack. Around 2000-2001."
posted by clorox at 12:04 AM on September 6, 2013 [4 favorites]


So, does this mean that soon, "they", whoever "they" might be, will have the ability not just to intercept arbitrary traffic, but to spoof it as well?
posted by w.fugawe at 2:08 AM on September 6, 2013


So, does this mean that soon, "they", whoever "they" might be, will have the ability not just to intercept arbitrary traffic, but to spoof it as well?

Yes. You can strike the soon though.
posted by jaduncan at 2:48 AM on September 6, 2013 [2 favorites]


so if they can crack our bank security who's to say they're not funding themselves by dipping into american pockets (or blackmail or whatever)
posted by This, of course, alludes to you at 3:03 AM on September 6, 2013


^ I hoped they were specifically targeting legitimate targets.

hahahahahaha Sorry to disallusion you.
Everybody; Every entity is considerered a legitimate target by this parasitical agency.
We have arrived.
If you want a vision of the future, Winston, imagine a boot stamping on a human face - forever.
posted by adamvasco at 3:32 AM on September 6, 2013 [1 favorite]


I know some neckbeards who are going to be So. Fucking. Smug. tomorrow.
thanks, "civilian_netizen_1952"!
posted by This, of course, alludes to you at 3:48 AM on September 6, 2013


so if they can crack our bank security who's to say they're not funding themselves by dipping into american pockets

They are. It's just that that's what taxes are for.
posted by jaduncan at 4:15 AM on September 6, 2013


It's also worth remembering that virtually all motherboards ship with a second, uncontrollable and unauditable, operating system which (unlike BIOS) is still active when you're booted into your operating system of choice.

In the case of Intel's Active Management Technology, administrators can do a shocking range of things remotely like KVM and installation of a new OS image. If the NSA has their finger in this pie then a remote compromies of any AMT-enabled PC that is on the Internet is, well, verging on trivial.

Reboot to install updates? Guess so.
posted by jepler at 4:20 AM on September 6, 2013 [4 favorites]


Well, if you trust Schneier's analysis there's at least this:

The primary way the NSA eavesdrops on internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly.

But seriously. It turns out the only thing Sneakers got wrong is that Janek's 'box' is code rather than chips. And the threat of a 'Cosmo' is very real (although probably with different aims than collapsing banking to trigger a post-capitalist society). A big part of the NSA's villainy here is that they've undermined the ability to be secure against anyone, just to expand their own capabilities.

I've been beside myself since I read about this latest disclosure last night. I woke up super early thinking about it. I'm sort of poleaxed that it does not appear to have made the national morning news. I would say more but I feel like I would just slide into a multiparagraph rant, without saying anything that hasn't been said upthread.
posted by snuffleupagus at 4:22 AM on September 6, 2013 [8 favorites]


The U.S. government is quite blatantly breaking the law, but is this actually illegal in the Commonwealth countries that are planning to roll it out?
posted by one more dead town's last parade at 4:33 AM on September 6, 2013


Yep, except for the previously posted NYTimes piece, no mention on my local news.
posted by emjaybee at 4:33 AM on September 6, 2013


It's on the front page of the NYTimes this morning.

Well, that's something. So far as I can tell, it didn't make the early/morning shows on the East Coast.

I know some neckbeards who are going to be So. Fucking. Smug. tomorrow.

I will admit to some very-sad-faced-smugness related to the shockingly trusting and dismissive naivete that was on display amongst the second and third year law students--largely members of the 'Facebook generation'--in my Criminal Procedure class' segment on electronic surveillance and wiretapping this last Spring.

Especially that one guy who literally mocked me in front of 100+ classmates as "paranoid" and "silly" and suggesting the "impossible*" when I pointed that the NSA's new data center was meant to allow them to capture most of the Internet's traffic through major peering points, etc., to hold onto 'flows' that appear to be of interest for later analysis--even though this was its acknowledged purpose at the time. And that since you didn't have to go any further than Ars Technica coverage to glean that, insisting that there were undoubtedly other collection programs or components that weren't acknowledged and would have been even more disturbing from a Fourth Amendment standpoint than the already awful stories and precedents from recent years that we were discussing.

The big revelations started flowing right when classes ended and haven't really stopped since. So a few months ago, I was another kook from the Early Internet. Now I'm another Cassandra. It doesn't feel much better. Why does my coffee taste like ashes?

* Forgive me for being unable to resist some neckbearding here: So buddy, I guess analysis of what is possible for the NSA based on your iPhone data plan and your struggle to keep up with your pr0n folder's expansion didn't really hold up, eh? I guess all that operating system and protocol mumbo jumbo still matters and wasn't really mooted by broswer based encryption and "the cloud" after all, huh?
posted by snuffleupagus at 4:44 AM on September 6, 2013 [5 favorites]


Front page BBC
posted by adamvasco at 4:45 AM on September 6, 2013


CNN has it, though it's buried in bullet points under their Syria stuff.
posted by jquinby at 5:00 AM on September 6, 2013


"It is alleged that some ex-developers (and the company they worked for) accepted US government money to put backdoors into [OpenBSD's] network stack, in particular the IPSEC stack. Around 2000-2001."

Fuck. FUCK. If there's one thing I thought I could count on, it was that Theo was enough of a paranoid asshole to keep this from happening.
posted by bfranklin at 5:51 AM on September 6, 2013 [1 favorite]


The NSA's intimate knowledge of what encryption is in various products is no surprise. Ever since encryption technology was taken off the US Munitions List and controlled by the Dept. of Commerce, every product that was intended for export from the US has had its encryption content reviewed by both Commerce and the NSA. Oh, they didn't call it the NSA but the mailing address was the same. For most products that meant they knew what encryption algorithms the product contained, what bit lengths, and where the code came from. If you designed your own encryption, they required the source code as well. They know what everything contains and because they know what implementation you're using they know any weaknesses. That's on top of any possible tinkering they may have done to those implementations to introduce additional weaknesses.

They know it all. And they've known it for a long time.
posted by tommasz at 5:54 AM on September 6, 2013 [1 favorite]


if Bitcoin was actually a distributed tool for breaking encryption

ooooh that'd be brilliantly evil

I have no idea why the fuck this isn't breaking news, like interrupt-this-broadcast 24-hour ticker-tape telethon style breaking news.

Because the teeny tiny percentage of the population that actually understands what any of this means* A) is teeny tiny, 2) already kinda suspected this was happening, and iii) doesn't own a television anyway

*Seriously, to most people this lede

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.

translates as

We're winning a war! Using technical tech tech the tech tech to technical tech!
posted by ook at 6:08 AM on September 6, 2013 [1 favorite]


I believe the Battle of Mannasas/Bull Run was chosen as a name because it was heavily influenced by espionage. Here's what Wikipedia says:

During the previous year, U.S. Army captain Thomas Jordan set up a pro-Southern spy network in Washington, DC, including Rose O'Neal Greenhow, a prominent socialite with a wide range of contacts. ... On July 9 and July 16 of 1861, Greenhow passed secret messages to Confederate General P.G.T. Beauregard containing critical information regarding military movements for what would be the First Battle of Bull Run, including the plans of Union general McDowell.
posted by BillW at 6:23 AM on September 6, 2013 [1 favorite]


There are going to be some really fabulous books about when "Information Theory" and "National Security" collided in the early part of the 21st century, someday.
posted by DigDoug at 6:48 AM on September 6, 2013 [2 favorites]


Also: Is this the thing that revitalizes the oft-derided cypherpunk movement?
posted by bfranklin at 6:53 AM on September 6, 2013


Is there any indication off the extent to which the other 5 Eyes partners - Canada, Australia, NZ - are involved? I can only find one slender reference (in the ProPublica article) which suggests that they know, but not whether they too are hacking and sending spies into tech companies.

I didn't see anything at all about this issue in the CBC, Globe, or Toronto Star this morning. Dunno exactly what that means, probably today the journalists will be trying to learn what they can about Canada's role and it'll come out Monday/weekend.
posted by Lemurrhea at 7:21 AM on September 6, 2013


It's way worse than that. There are like, 10 people in the world doing stuff that would be provably secure now. One-time paper pads are still valid, I guess, but for technical solutions you need to be on the ground floor, like Bunny's completely custom laptop project or even Google building their own switching hardware.

We're talking about going to the bare fucking metal and verifying your chips, or making them yourself. Good luck with that.


Open source hardware is a great concept, even if you do have to trust the manufacturer. I will note that there are way more than 10 working on provably secure -- formal verification is big money, but sadly it's mostly funded by the very orgs we're bitching about.

I am debating going whole hog on the system configuration I suggested last week, though.
posted by bfranklin at 7:26 AM on September 6, 2013


Practical question: I have an SSH key I’ve been using for the past decade as my primary personal credential for servers everywhere. What’s the best algorithm, length, and generation method to use to replace it?
posted by migurski at 7:44 AM on September 6, 2013


One thing you can do is use multiple SSH keys, specifying them (and optionally the servers to which they should apply) in your ~/.ssh/config file. More info.
posted by titus-g at 7:51 AM on September 6, 2013 [2 favorites]


Practical question: I have an SSH key I’ve been using for the past decade as my primary personal credential for servers everywhere. What’s the best algorithm, length, and generation method to use to replace it?

RSA, 2048 bits, generated on a machine running OpenBSD. Yes, upthread there's a comment about backdoors in the crypto stack on OpenBSD, but if OpenBSD is compromised, you can be damn sure every other major distro is. OpenBSD provides stronger entropy by having multiple consumers of the entropy pool, so you aren't getting sequential bits of entropy.
posted by bfranklin at 7:53 AM on September 6, 2013 [3 favorites]


Also, Schneier has raised the caveat that the NSA may have made crypto breakthroughs to attack ciphers. In that case, you may want to go up to 4096, which is supported by most sshds.
posted by bfranklin at 7:56 AM on September 6, 2013 [1 favorite]


Thanks! Is it safe to do this on OpenBSD running in a VM like Virtualbox?
posted by migurski at 7:57 AM on September 6, 2013


This neckbeard doesn't feel smug. I feel sick.
posted by double block and bleed at 7:58 AM on September 6, 2013 [1 favorite]


jepler: "It's also worth remembering that virtually all motherboards ship with a second, uncontrollable and unauditable, operating system which (unlike BIOS) is still active when you're booted into your operating system of choice."

Thankfully it isn't quite that bad? Most low-end PC hardware doesn't have all the wires hooked up needed to enable these technologies. God help you if you're using something you know has it or a server with IPMI, although we already knew most IPMI BMCs are exploitable by third parties. Yes, an IPMI BMC really is a little computer running on its own SoC embedded in your motherboard. Thankfully it's mostly a server/workstation thing and it usually costs extra.

migurski, if that key is is an RSA key not generated on a Debian machine with a broken PRNG and is greater than 1024 bits, you're probably better off continuing to use it than generating something new at this point. If you do generate a new one, make it at least 2048 bits, and consider 3072. This will be somewhat annoying if you log in to lots of embedded machines with signature-based authentication, but will likely be enough for a while. Oh, and generate it on OpenBSD. It's better audited than the alternatives.

Run OpenBSD on bare metal. Preferably on an older computer with a fresh hard drive and no network access.
posted by wierdo at 7:58 AM on September 6, 2013 [1 favorite]


Preferably on an older computer with a fresh hard drive and no network access.

Hah! Finally my inability to ever throw away old hardware cunning plan pays off!
posted by titus-g at 8:02 AM on September 6, 2013 [5 favorites]


Thanks! Is it safe to do this on OpenBSD running in a VM like Virtualbox?

Only if you trust VirtualBox not to lie to OBSD. Just run a live CD.
posted by bfranklin at 8:04 AM on September 6, 2013 [1 favorite]


I wish I remember where I generated the key. It may have been on a BSD server run by our paranoid sysadmin in 2001, but it might also have been on the G4 tower I had at the time. I’ll try the live CD route on a laptop, hope it works!

Also out of curiousity, if I wanted to be perversely artisinal would it make sense to instead throw a die one thousand times to craft hand-made randomness?
posted by migurski at 8:06 AM on September 6, 2013


Also out of curiousity, if I wanted to be perversely artisinal would it make sense to instead throw a die one thousand times to craft hand-made randomness?

The RNG in BSD has been tested to be statistically random, and that testing has not had an eroding effect on the RNG. The die, on the other hand, has a bit of a problem with this.

Possibly good enough, but I wouldn't do it.
posted by bfranklin at 8:08 AM on September 6, 2013


Preferably on an older computer with a fresh hard drive and no network access.

How old is desirable? Is non-Intel desirable? Because as another Cunning Planner (I like that way better than 'tech hoarder') I still have a G4 (sans working power supply), and even a few 68040 machines.
posted by snuffleupagus at 8:17 AM on September 6, 2013


This is what NIST has to say about RSA-1024 in the context of FISMA, which is the security standard which governs data centers, including public clouds like AWS Federal, used to host software used by federal agencies.

"Note that use of 1024-bit RSA for digital signature and key management keys was phased out in 2008. The use of 1024-bit RSA for authentication keys is permitted to leverage current products and promote efficient adoption of FIPS 201, but must be phased out by 12/31/2013."

I'm not able to find any quick numbers, but RSA-1024 is in wide use right now. Most of the systems I've worked with used it, which means they are vulnerable. I think this is true for most developers who would take the time to go back and look at the encryption they've used in the past.

What’s the best algorithm, length, and generation method to use to replace it?

In addition to figuring out a safe way to generate a keypair, you need to consider where you'll store the private key. I think this is the real long term risk. It's hard to store it in a way that is both safe and doesn't render it useless. I bet there are a lot of people who throw their keys on DropBox without really thinking about it.
posted by feloniousmonk at 8:19 AM on September 6, 2013


Good news! For those of you considering writing your own OS, you might not need to - remember this?
posted by Nanukthedog at 8:23 AM on September 6, 2013 [4 favorites]


Realistically, I'd need to store it in all the various places I have accounts I need to ssh from, so EC2 machines and shared hosting and so on. Sounds like multiple keys are a great way to go.
posted by migurski at 8:23 AM on September 6, 2013


Realistically, I'd need to store it in all the various places I have accounts I need to ssh from, so EC2 machines and shared hosting and so on. Sounds like multiple keys are a great way to go.

Protip: get yourself a centralized management system that you use to jump into all your other systems, rather than going peer-to-peer and leaving keys strewn about everywhere.

Also, rotate your keys more frequently if you're leaving them in the cloud.
posted by bfranklin at 8:29 AM on September 6, 2013


We don't know the details yet, but I imagine a component of these systems has to be a filter on the main backbone taps which copies any private keys it encounters, so if you've ever transmitted or ever will transmit it over a subverted channel, which we now know could be any channel, even a nominally secure one, you should probably assume it's been compromised.

The scale of this compromise is so vast that like a lot of other IT types in this thread, I don't even know where to begin with a response. I'm not even sure there is a response. We should hope the actual security types are doing a little better, but we shouldn't be overly optimistic.
posted by feloniousmonk at 8:31 AM on September 6, 2013 [1 favorite]


I have SUCH a man-crush on Charlie Pierce:
I don't know when The National Conversation is going to begin -- we seem to be sitting through a Bombing Syria delay in the proceedings -- but Why Should We Trust Anything The NSA Says? should be Topic A. What An Asshat Glenn Greenwald Is can wait for another day, I think.
posted by mfu at 8:33 AM on September 6, 2013 [5 favorites]


Popehat- NSA Codebreaking: I Am The Other
posted by T.D. Strange at 8:37 AM on September 6, 2013 [4 favorites]


It's hard to store it in a way that is both safe and doesn't render it useless.

The other advantage of having multiple keys is that you can have your everyday ones on boot accessible drives, and the more secure ones in steganographically encrypted files in a hidden truecrypt folder on a geli encrypted drive, all with manual passphrase entry required to access.

You could even go to truly paranoid lengths such as writing up a system so that each key pair can only be used for one-time logins. On the other hand in many ways all this is personal security theatre, at this point if someone with the resources of the NSA want to get your datas, then most likely they will.
posted by titus-g at 8:39 AM on September 6, 2013


Bfranklin, that sounds a bit SPOFish. Any pointers to good descriptions?
posted by migurski at 8:41 AM on September 6, 2013


Democracy Now! this morning:

The End of Internet Privacy? Glenn Greenwald on Secret NSA Program to Crack Online Encryption

“Undermining the Very Fabric of the Internet": Bruce Schneier on NSA’s Secret Online Spying

Although, as another data point on how important people consider this, the NSA story came in headlines after three stories on Syria and one story on Russia/LGBT (but of course they did devote a lot of feature time talking about it).
posted by Noisy Pink Bubbles at 8:57 AM on September 6, 2013 [2 favorites]


Regarding my question about avoiding recent hardware for creating keys, it doesn't sound like BSD on a 68k mac is the way to go either. The 68k port was discontinued with 5.1 a little over a year ago, and so isn't receiving fixes etc. Also the announcement contained this warning regarding the 68k family and other older HW:

Also, we are worried that the horsepower of these old systems is not
enough to allow for proper security[3]. Although we hope none of you
OpenBSD/mac68k users have your macs directly connected to the hostile
internet, these platforms can not provide enough crypto performance and
enough entropy to be deemed reliable, as soon as you untrusted users
having access to them.

[3] Note that this does not only concern mac68k, but the other
m68k-based platforms, and arguably more systems. They might forcibly
get retired soon. The unofficial project policy is to keep
supporting a platform as long as the fastest systems available still
meet our security requirements. Thus we are still supporting (and
running fine, I'd mention) on a 16.66MHz Sun 4/260 - which still
runs circles around most of the m68k macintoshes due to a much
better memory and I/O system - because the same kernel will also run
on much faster sparc systems.

posted by snuffleupagus at 9:01 AM on September 6, 2013


Some speculation.
posted by RobotVoodooPower at 9:07 AM on September 6, 2013 [5 favorites]


adamsc: [..M]aster lock gave everyone one of 4 keys because the FBI didn't like having to hire locksmiths[...]

This is only the start of the problem. Imagine that even if you tried to make your own lock, the tools for building locks are actually only capable of making these weak locks. And the tools for making the tools. You'd have to go all the way back to rocks and sticks. Anyone you hired to help you might be a government saboteur. If you slipped up just once along the way, you might as well start all over again.

And it really is everyone who is stuck with these crappy locks. It's not just the locks on your bike or house that are crappy, the bank vaults and stock exchanges are all locked with the same crappy locks. The offices of politicians and activists.

And the government itself is totally unchecked. The courts that issue the warrants are a rubber stamp. The probable cause is "because I said so." The things to be seized are "everything". The people served with the warrants are restrained, a priori, from speaking about them.
posted by rustcrumb at 9:39 AM on September 6, 2013 [23 favorites]


In terms of audacity and utter disregard for devastating consequences, this makes Enabran Tain's trip to the Gamma Quadrant look reasonable and circumspect.
posted by Z. Aurelius Fraught at 9:39 AM on September 6, 2013 [2 favorites]


What did all you outraged folks think NSA actually did before you saw this story? Sit on their hands and wait for someone to hand them some plaintext messages from foreign governments?

For as long as we have been discussing this on Metafilter, we have known what the NSA's job is. It feels like the subtext of this remark is that we don't know what the NSA is supposed to do. That feels a little insulting. The United States has legitimate national security concerns, and for the most part I think we accept the necessity of intercepting messages and breaking codes in certain instances.

What we object to, strongly, are the methods that the NSA uses, the mostly unrestrained scope of its surveillance, and the lack of meaningful debate on these issues.

So, what did this "outraged" person think? I thought and said that the body politic must exercise informed consent over the methods used to police us. It is insufficient to exercise consent over the goals of policing alone — we must consent to the methods, because when we do not, the state will use increasingly unethical and dangerous means to accomplish those goals.

We are now seeing the result of our non-consent. We are now seeing just how unethical and dangerous the NSA's methods are.

The comment I quoted above is not a defense of the NSA's methods. It is a tacit restatement of their goals. I welcome a defense of the NSA's actions (and have yet to see it in this thread), but I do not think anyone can reasonably argue that we, as a society, have arrived at the status quo by way of informed and reasonable deliberation.

This reality is underscored by the way in which the security establishment explains its actions. The NSA has defended its eavesdropping by portraying it in a manner that they believe the public will find acceptable. They consistently describe their work as focused spying that operates with scalpel-like precision, affecting only legitimate targets. Yesterday's revelation was the "blunt object" leak. This affects the entire Internet; it affects everyone. This leak demonstrates that the scope and methods of the NSA's work are inconsistent with what they believe the public will find acceptable.
posted by compartment at 9:41 AM on September 6, 2013 [26 favorites]


Bfranklin, that sounds a bit SPOFish. Any pointers to good descriptions?

Well, by "a" I meant a redundant pair if you can't afford to lose your key. Losing an ssh login key normally isn't _that_ huge an issue for me and I can live with the SPOF and just use the console if things get broken. If you're talking about SPOF from a compromise standpoint then:

In the peer to peer model, I can ssh to any box as you once I compromise your account on any box.

In the root management node model, I can ssh to any box as you once I compromise your account on one heavily defended box.

Having your key in less places leads to greater security.

Don't know what you're looking for/meaning by a good description -- generally I'd configure a host like this as a bastion host with a pretty restrictive security configuration. If you look at the CIS Benchmarks, I'd use a Level 2 or SSLF configuration, depending on what language the benchmark uses for that particular OS.
posted by bfranklin at 9:57 AM on September 6, 2013


Where are the protest organizers hanging out? I want to join them. This is certainly worthy of 24-hour digital device blackouts, tent cities, marches across the Brooklyn Bridge, convergences upon the Capitol and the White House, phone calls to our elected representatives. The Snowden leaks need a movement to spring up around them. Unless one already has and I just don't know. Anybody got linkage?
posted by brina at 9:57 AM on September 6, 2013 [3 favorites]


For as long as we have been discussing this on Metafilter, we have known what the NSA's job is. It feels like the subtext of this remark is that we don't know what the NSA is supposed to do. That feels a little insulting. The United States has legitimate national security concerns, and for the most part I think we accept the necessity of intercepting messages and breaking codes in certain instances.

Yes. I think the issue here is less the existence of the NSA but the complete lack of leadership and oversight.

The NSA is like a guard dog chained up in your yard. Except in this case it's a rabid, blind, unsupervised dog on a chain that turns out to be six hundred feet long instead of six feet long.

And guess what, it's been chewing on every single fucking thing it can gets its foaming mouth on.

Certainly at this point, the dog needs to be shot. But the dog will simply be replaced. We need to get someone to actually supervise these people. Because otherwise it'll just be more of the same. There has been an utter failure of leadership from elected US officials and military leaders.
posted by GuyZero at 9:59 AM on September 6, 2013 [7 favorites]


Bfranklin, what are examples of software packages or practices that do this? Is it something like a remote ssh-agent? Is agent even safe locally to begin with?
posted by migurski at 10:11 AM on September 6, 2013


Where are the protest organizers hanging out?

Restore the Fourth seems to be a kinda response to the NSA stuff.
posted by Noisy Pink Bubbles at 10:14 AM on September 6, 2013 [3 favorites]



Nobody in tech (or who read David Gerrold's War Against The Chtorr) is surprised by any of this. I am just waiting for the next exigent threat to the US citizenry to make all of this concern go away.

As a whole, exceptions aside, the US voting public urgently cast aside rights after 9/11 and will urgently do so again when circumstances seem to warrant. Because, remember, they're only going after the bad people.

So if you've done nothing wrong you've got nothing to worry about (aside from the deadly Ys: jealousy, bribery, zealotry, mistaken identity...)
posted by lon_star at 10:16 AM on September 6, 2013


As a whole, exceptions aside, the US voting public urgently cast aside rights after 9/11 and will urgently do so again when circumstances seem to warrant. Because, remember, they're only going after the bad people.

Hence the drive to drag the USA into Syria.

Endless war.
posted by anemone of the state at 10:19 AM on September 6, 2013 [1 favorite]


Let me try again. What I'm suggesting is rather than having machines A,B,C, and D that all have your private key so you can SSH to any other box:
A --- B
|\   /|
| \ / |
|  X  |
| / \ |
|/   \|
C --- D
You have a management machine, M, that is the only host that can initiate key-based auth to another host:
M ----A
    |-B
    |-C
    |-D
In the latter case, you would SSH into M, which is a locked down host, and then use M to access your other servers. The especially paranoid would have hosts.allow on A,B,C, and D set to only M.
posted by bfranklin at 10:21 AM on September 6, 2013 [1 favorite]


bfranklin, isn't that setting up a situation where M is the only machine that needs to be hacked? (See also: Tailored Access Operations.)
posted by RedOrGreen at 10:31 AM on September 6, 2013


I am just waiting for the next exigent threat to the US citizenry

The NSA is the exigent threat to the US citizenry.
posted by ryoshu at 10:40 AM on September 6, 2013 [2 favorites]


bfranklin, isn't that setting up a situation where M is the only machine that needs to be hacked? (See also: Tailored Access Operations.)

Quoting my earlier comment: In the peer to peer model, I can ssh to any box as you once I compromise your account on any box.

In the root management node model, I can ssh to any box as you once I compromise your account on one heavily defended box.

Having your key in less places leads to greater security.


TAO applies in both scenarios, so it doesn't really weigh into the comparison. And having your key stored on non-removable media on an always-on host is galactically stupid if you're worried about an adversary with TAO capabilities.
posted by bfranklin at 10:41 AM on September 6, 2013 [1 favorite]


I think I have a more audience-appropriate analogy: this is like when the Federation realized that the Romulans could remote control all their fancy touchscreen control systems and had to revert to the low-tech mechanical stuff seen in the original series.
posted by feloniousmonk at 10:43 AM on September 6, 2013 [3 favorites]


They have ruined the entire known universe of security systems

Speaking purely technically, I'm curious about how much that is true. I haven't seen much analysis of examples of the exploits yet but here's two on my mind.

In the Dual_EC_DRBG the back door is only openable if you have the key. A specific secret random number that only NSA knows. That doesn't really weaken the whole system in a way someone else can exploit it short of stealing the secret key from NSA. In a technical sense it seems like a responsible back door and as long as you trust NSA it causes no harm.

Since these reports yesterday I've been thinking a lot about DSA-1571-1 openssl -- predictable random number generator. I think the change that introduced that bug was a simple well intentioned mistake, not deliberate NSA sabotage. But it's a great example of a flaw that once discovered allows anyone to compromise the system. There is no secret key necessary to exploiit the flaw; were it a deliberate back door, it's a very irresponsible one. This bug severely compromised all Debian and Ubuntu systems including important applications like HTTPS and SSH. It's also a bug that existed for nearly 2 years in a high profile Linux distribution. Not the best work for the good guys.
posted by Nelson at 10:43 AM on September 6, 2013 [1 favorite]


I would be extremely curious to know what the reaction to this news is in places like the network security group at large banks.
posted by feloniousmonk at 10:56 AM on September 6, 2013


the network security group at large banks.

Based on personal experience? "Our security measures are already swiss cheese and we can't get budget to fix, so until another bank gets defrauded out of a few million, management isn't going to think it's a good investment to shore things up"
posted by bfranklin at 11:01 AM on September 6, 2013 [3 favorites]


NYT Public Editor: Decision to Publish Against Government Request Was ‘Not a Particularly Anguished One’

Although she does note "The Times did agree to withhold some material from the story."
posted by Noisy Pink Bubbles at 11:16 AM on September 6, 2013 [1 favorite]


Butlerian Jihad, anyone?
posted by sandettie light vessel automatic at 11:19 AM on September 6, 2013 [2 favorites]


On a related note, Jim Sensenbrenner, the author of the Patriot Act, has filed an amicus brief on behalf of the ACLU in their lawsuit against dragnet call record collection. Jim Sensenbrenner is also beating the informed-consent drum:
Defendants’ only evidence supporting implied ratification is the assertion that a 5-page report was made available for Members of Congress to read in a secure location for a limited period of time in both 2009 and 2011, when Congress was considering whether to reauthorize Section 215 as a whole. … However, the 5-page report was only a brief summary, sorely lacking in detail, with only one sentence that hinted at the breadth of the program. Moreover, the report was not made available to House Members in 2011. … Nor were Members of Congress given access to any of the FISC orders approving of the bulk collection of call data. Even if mere notice were enough, it would have to be actual notice. Defendants make no attempt to demonstrate that all, or even most, Members of Congress had actual notice that the government was engaging in the bulk acquisition of the telephone records of Americans.
We trust Congress to reauthorize the Patriot Act, but we do not trust them to know what they are voting to authorize.

I made a very similar point upthread about authorization for the Syria strike, and am pretty much flabbergasted to learn that the author of the Patriot Act is joining with the ACLU to say this about his own legislation.

It's hard for the NSA and Obama to argue "Congress gave us this authority" when the author of the Patriot Act says otherwise.
posted by compartment at 11:19 AM on September 6, 2013 [7 favorites]


Sounds like contempt of Congress to me.
posted by one more dead town's last parade at 11:22 AM on September 6, 2013 [1 favorite]


Sensenbrenner and Obama are two peas in a pod. A civil libertarian when their party doesn't hold the presidency and outright big-brothers (I hesitate to use "fascist" as I think it's way overused, and quite often misunderstanding of "corporatism" as meant in actual fascist ideology).

It's like a quantum entangled political process, when you look at one party, in one position, they're this way, and the entangled takes on the opposite aspect. Spin-up/spin-down? small-l-libertarian/big-brother. Out of power? libertarian. In power? big brother. only difference, of course, is that it's not a question of randomness, we know exactly how it's played, just like Clipper Chip and Ashcroft during the Clinton Presidency.

Sensenbrenner is a piece of shit opportunist who will do anything to keep political power, and he knows that the Tea Party buys into that "Libertarian" bullshit so they lap it up with ease, and hey, since it's a black muslim kenyan voodoo witch doctor from indonesia in power, why of COURSE we oppose civil liberties violations because it's totally used against honest god fearing americans now.

I have to say, at least fucking Feingold had the sense to know that if he were to maintain any historical credibility on his civil liberties record (well as much as he could after voting for Ashcroft), he has to forsake the goal of the presidency, lest the facade be given for what it is, and his rep tarnished forever.
posted by symbioid at 11:35 AM on September 6, 2013


Nelson: "A specific secret random number that only NSA knows. That doesn't really weaken the whole system in a way someone else can exploit it short of stealing the secret key from NSA. In a technical sense it seems like a responsible back door and as long as you trust NSA it causes no harm."

I'd argue a 'responsible backdoor' is a contradiction in terms.

Even the most generous NSA supporter should be thinking that they can't be trusted with the skeleton key to the Internet for the simple reason that they don't even know what Snowdon has copied from their own systems.
posted by Static Vagabond at 11:41 AM on September 6, 2013 [2 favorites]


Why do I get the feeling this disclosure isn't even the "big one"?
posted by ryoshu at 12:07 PM on September 6, 2013 [14 favorites]


Oh yeah, I totally agree that any sort of deliberate government sabotage of a cryptosystem is awful and stupid. And I don't really trust NSA, both for political reasons and questioning the competence of any bureaucracy. I'm just trying to understand the technical solutions they've employed and the damage it might cause. It's a difference of kind, whether a compromised system is weak in a way that anyone can uncover or if it's only weak if you have the secret.

I'm hoping someone does a catalog of all of the exploits we suspect NSA of having embedded in systems. I can name at least three offhand.
posted by Nelson at 12:08 PM on September 6, 2013 [1 favorite]


Snowden is going to be "Man of the Year".
posted by H. Roark at 12:11 PM on September 6, 2013 [1 favorite]


Nelson, I think we might get some interesting insight into how they've gone about it via Schneier's request that compartment links to above.

Schneier is incredibly well respected, enough, I hope, that it might sway a few techies into releasing their experiences or knowledge around the various vulnerabilities that have made their way into the foundations of our networks.
posted by Static Vagabond at 12:19 PM on September 6, 2013 [2 favorites]


One more note on the big failures of technical reporting attendant on this story — take a look at the graphic accompanying the original story in the NYT. Can you imagine anything more comically pointless than using goofy UI mockups to illustrate the idea of "software that's been compromised" like this, rather than even trying to depict the real story, which of course is taking place behind that UI?

For a publication that's usually great at information-dense graphics to run something so USA Today-like in its vapidity must be an indication of how hard this story is to report for a non-technical audience. It may, I'm still hoping, also indicate that for day 1 they only asked a bunch of non-tech-journalist graphics people for a rush job, in which case we can still hope that later reporting will get into more reasonable depth as the story grows. But you really couldn't ask for a better illustration of a broken journalistic process straining and handwaving to pseudo-explain a somewhat technical story.
posted by RogerB at 12:28 PM on September 6, 2013


Nelson: I think the change that introduced that bug was a simple well intentioned mistake, not deliberate NSA sabotage.

Schneier specifically said yesterday that according to the documents he's seen NSA-planted backdoors have been explained away as "simple mistakes" upon discovery.
posted by junco at 12:38 PM on September 6, 2013 [1 favorite]


Which brings to mind the "simple mistake" in NetBSD that broke the entropy pool that came to light a few months ago.
posted by junco at 12:45 PM on September 6, 2013 [3 favorites]


Well I don't know whether the netBSD issue was really a mistake or not, but to the NSA's infinite luck it is really hard to generate good random numbers and is very easy to honestly screw up.
posted by GuyZero at 12:53 PM on September 6, 2013


Well I don't know whether the netBSD issue was really a mistake or not, but to the NSA's infinite luck it is really hard to generate good random numbers and is very easy to honestly screw up.

Neither do I, but isn't that the whole problem here? When we now know that the NSA is spending hundreds of millions of dollars a year to infiltrate cryptographic implementations, how can you trust even, say, the core NetBSD team? Especially with such great plausible deniability as "I missed that one parenthesis: oops! Also now all your SSH keys are trivially broken".
posted by junco at 1:05 PM on September 6, 2013






NSA-planted backdoors have been explained away as "simple mistakes" upon discovery.

Yeah, but in addition there are genuine simple mistakes. My best guess, based on the history, is the Debian OpenSSL vulnerability was an actual mistake. And on first review I think the NetBSD bug is also a genuine bug and not sabotage. Both bugs are serious but seem like failures of authorship, review, and testing instead of a deliberate attack. In particular both commits are well documented and relatively easy to read (and later, audit). I'm assuming any serious effort to subvert open source software is being done in a more subtle way, either through multiple unrelated commits or code that turns out to be obfuscated. (Or just rely on implanting vulnerabilities in closed source firmware, the hardware, etc.)

But I'm just guessing. Now that the cat's out of the bag, all of our security code in the world is subject to new skepticism. The security engineers I know have always been pretty paranoid, it's frightening to learn that even with extra care our basic software is so insecure. Not just to deliberate governmental sabotage, but exploitable accidents too.
posted by Nelson at 1:55 PM on September 6, 2013 [2 favorites]


> We don't know if the maintainers of GCC or Clang were coerced into compromising their compilers

I actually don't think that this is a reasonable possibility - though pretty well everything else is.

Pick a compiler, and assume that many of the developers are moles for the NSA. Now, they of course can't just check their backdoors into the source code - because there are code reviews, and because anyone can read it.

The classic way around this is to subvert the compilers early on, and then all later compilers have the bad pieces automatically put in when they are built. The bad code never lives in the compiler source, it lives in the binaries only.

This is theoretically conceivable - but it's technically unfeasible, even with close to unlimited resources. People like me are constantly stepping through compiled code, even looking at generated assembly code. You'd need to also be subverting the debuggers and object file tools.

Even without that, how would you actually pull it off? Your patch, written a long time ago, had to be forward-thinking enough to correctly modify future versions of the compiler! GCC and particularly Clang move along at a pretty amazing clip - your code would need to change with it every time.

And of course, you'd have to make sure that the whole setup was perfectly debugged - because if it failed, it would break everyone's code, and everyone would know.
posted by lupus_yonderboy at 2:34 PM on September 6, 2013 [5 favorites]


This is theoretically conceivable

I think Ken Thompson actually implemented this once upon a time - Reflections on Trusting Trust.
posted by GuyZero at 2:38 PM on September 6, 2013


feloniousmonk: " It's hard to store it in a way that is both safe and doesn't render it useless."

This is what a strong passphrase is for. Make sure you've got over 100 bits of entropy and you at least won't (probably) be vulnerable to brute force attacks. The passphrase is used as a symmetric encryption key. Obviously, it beehoves you to not enter your passphrase on untrusted machines, even if you do store your key there.

It's more secure to both have a good passphrase and to use ssh-agent forwarding so your key isn't stored anywhere except your main (secured) computer.
posted by wierdo at 2:40 PM on September 6, 2013


There is one good thing about all of this. It is getting people to take security more seriously NOW, instead of later.

All holes, loopholes, errors, what have you, are exploited eventually. Now it makes a lot more sense that someone ordinary (yet knowledgable) would want to install a secured version of Linux for general use, which may help later on.
posted by JHarris at 3:17 PM on September 6, 2013 [1 favorite]


I'm a computer science student. I've read Cryptonomicon. But I still feel lost when it comes to computer security. I've been writing a php web application that incorporates a form in which users enter their name and address, and I'm thinking "boy, this should probably be a secure form, we should be using https." Then it hits me - I have no idea how an attacker would intercept POST data, even if it was cleartext.

Then this shitstorm goes down, and I spend all day reading news and wiki articles and links about cryptography. Maybe I know what a Mersenne twister is now, but I'm still not sure how an attacker would intercept encrypted data. I feel like this is a glaring hole in my knowledge about the internet. How would someone snoop in on an http or https exchange?

Maybe this isn't the right place to ask this question, but it's been bugging me for days.
posted by morae at 3:56 PM on September 6, 2013 [1 favorite]


I don't know much more than you (or rather, I haven't synthesized the knowledge I've obtained into much of a workable model, I know more than I've had the chance to digest), but....

When you communicate with another machine on the internet, the two ends are not the only actors involved. Between them are a number of other machines which relay the messages between you. At any machine along the way the packets could be intercepted and sent to who knows what party, and the IP address on the packets could be used to single out the packets for diversion.

Encryption isn't a universal solution either, for reasons such as this, but there's also the phenomenon of the man-in-the-middle attack. To establish a secure connection, the sides typically have to communicate in an unencrypted fashion first, and if a third party can intercept that message it can then decrypt later packets, because it'll have access to the keys involved. I think? I'm still working through this.
posted by JHarris at 4:07 PM on September 6, 2013


Oh, and:
Maybe this isn't the right place to ask this question, but it's been bugging me for days.

I think this is a fine place to ask, and if it's not, there's an entire subsite devoted to questions like that....
posted by JHarris at 4:07 PM on September 6, 2013


How would someone snoop in on an http or https exchange?

Hacking - The Next Generation from O'Reilly is a pretty good intro on that score (especially since there always seems to be some offer to get 50% off on their ebooks [I have so very many O'Reilly (e|p)books]).
posted by titus-g at 4:25 PM on September 6, 2013


Umm, didn't mean to sound so much like an advert. What I meant was don't ever pay full price for their books....
posted by titus-g at 4:27 PM on September 6, 2013


Make sure you've got over 100 bits of entropy
So, you need more than 'correct horse battery staple'
posted by nightwood at 4:34 PM on September 6, 2013


How would someone snoop in on an http or https exchange?

For HTTP, any point along the wire though your bad actor would need access to the wire (or transport) to be able to see the traffic, which means owning a proxy, router, switch or somesuch along the way. An easier way to get the goods is via malware, which might include a keylogger or a component which sweeps your browser password cache, alters your HTTP proxy settings or all of the above.

Or you can get a Remote Administration Tool (RAT) installed onto your victim's workstation, and then do whatever you want.

N.B. - I work for a company involved in this sort of thing.
posted by jquinby at 4:38 PM on September 6, 2013 [2 favorites]


This is theoretically conceivable - but it's technically unfeasible, even with close to unlimited resources. People like me are constantly stepping through compiled code, even looking at generated assembly code. You'd need to also be subverting the debuggers and object file tools.
I don't want to spend much time justifying this particular approach, because I agree that it's not super likely, but I think it's far more feasible than you think. The magnitude of the change doesn't need to be that large, because all you need is a very small change to greatly reduce the entropy that goes into key generation. And as demonstrated by the Debian and NetBSD bugs, bugs can persist for quite some time even when they're in plain sight, because there is a ton of code out there, and even auditing everything takes an enormous amount of people-hours. And it wouldn't take that much more effort to make GCC produce compiles of GDB that hide the minor changes as well. And with an obscure and hideous code base, say, OpenSSL, nobody wants to spend much time messing with it either. They may be profiling the speed critical cipher sections with a fine-toothed comb, but key generation is not generally a performance critical area.

And the value of compromising all GCC compiles of OpenSSL on x86 would be absolutely enormous, as OpenSSL underlies so much of our communications infrastructure. Even spendings dozens of millions of dollars for development and covert installation onto a key GCC dev's machine would be extremely economical. And as Schneier points out, for the NSA this is all about economics; with a budget of millions of dollars, they're hoping to weaken the largest amount of communications possible.
posted by Llama-Lime at 4:42 PM on September 6, 2013 [2 favorites]


How would someone snoop in on an http or https exchange?

The answer to this lies more in networking than in security. So, let's look at the trivial case -- someone compromises one of the hosts on either end of the connection and we're dealing with HTTP. One can either hook the system calls that are handling the traffic and get the information at the application layer, or one can simply (using admin or root privileges) dump the raw packets entering the interface using something like tcpdump or wireshark.

Getting something in the middle of those connections isn't much different; there's just some work to make sure wireshark or tcpdump can see those packets. In that case, you can (if you own a router somewhere out in the cloud) advertise false route information to have the traffic pass through you. You can ARP spoof to get a router to deliver the message to you thinking that you're the endpoint. Or you can masquerade as the endpoint's IP.

The latter case is particularly useful when dealing with HTTPS. One can engage in DNS cache poisoning to send an arbitrary hostname (e.g., google.com) to an IP address of one's choice. You effectively act as a proxy at this point -- sender talks to you, thinking you're the endpoint, and you talk to the endpoint. The endpoint thinks you're the sender, so it replies to you, and you forward that along to the original sender.

This allows us to conduct a man-in-the-middle attack where the sender connects to me, I give the sender an SSL certificate for endpoint.com, sender thinks it has a secure connection with me. There are some caveats with this attack, but the general rule is that if I can poison your DNS, I can man-in-the-middle you with relative impunity (we'll save the certificate verification discussion for another comment). This allows me to read the HTTPS traffic without an issue.

There are also a few protocol attacks against older versions of SSL, and TLS with specific configuration settings. Those are way too complex for me to get into given that I'm heading out to a birthday party shortly, but look at BREACH, CRIME, and BEAST all by the same group of researchers. These allow me to try and derive the session key for the TLS session by injecting spoofed packets into your HTTPS session.

This is far more of a shotgun overview than what I'd actually give someone I was teaching this stuff to, but a lot of folks have gone over the individual components mentioned here in blogs far better than I could go over all of it in a single comment.
posted by bfranklin at 4:45 PM on September 6, 2013 [9 favorites]


To establish a secure connection, the sides typically have to communicate in an unencrypted fashion first, and if a third party can intercept that message it can then decrypt later packets, because it'll have access to the keys involved. I think? I'm still working through this.

See above for a description, but one thing I want to address in your comment is that you're right that initial negotiation happens in the clear. However, it uses the Diffie Hellman key exchange algorithm to do that negotiation. Diffie-Hellman is designed so that even if you listen to the entire conversation, you can't find out the session key that is agreed upon for the SSL connection. It relies on the fact that any eavesdropper does not have access to the private key associated with the server's SSL certificate.
posted by bfranklin at 4:50 PM on September 6, 2013 [1 favorite]


And if anyone wants more detailed explanations on this stuff, feel free to leave a note. If you haven't figured out yet, I love this stuff, and love talking about it. I'm more than happy to run through anything I'm familiar with, and do some digging on the stuff I'm less sharp on. Okay, going to that birthday party now.
posted by bfranklin at 4:56 PM on September 6, 2013


morae - as others have pointed out, the most obvious way that an attacker would intercept communications (without tinkering with your machine specifically, as in jquinby's example) would be through a man-in-the-middle attack. This is where you think you're talking to your destination, but in reality you're talking to a different machine that is just passing data from your machine to the one you're talking to. I'm a little out of my element, but I believe there are lots of exchanges where equipment can be installed to perform these types of attacks. It's pretty trivial to figure out what that traffic is if it's in plaintext.

Encryption was supposed to solve this problem, but there are still ways to perform MITM attacks by using a certificate and a tool like sslsniff. I now operate under the assumption that the NSA has spoofed certs from major certificate authorities (at least many of the ones installed by default). Now that I think of it, there's a good talk by Moxie Marlinspike on why SSL connections aren't secure. It mostly revolves around the broken certificate authority system that has been in place since the 90s.

I was about to write more, but previewed and think others have covered it well. I saw the mentions of DNS cache poisoning and ARP spoofing - are those even necessary if the NSA has a Room 641A-style setup at major exchange points?
posted by antonymous at 4:57 PM on September 6, 2013 [2 favorites]


bfranklin, I really appreciate your contributions to this thread - I'm sure I will have more questions after I do more research into it
posted by antonymous at 4:59 PM on September 6, 2013


For HTTP, any point along the wire

It's even easier if your target is using wireless Internet. Like anyone on a mobile device, or at a conference, or on campus... Firesheep was the breakthrough proof of concept here, automating stealing HTTP cookies from public wireless access points. It's a big part of the reason so many services have moved to HTTPS.

Hacking SSL/TLS/HTTPS is harder. I'm guessing from the Bullrun articles that NSA mostly just breaks into the computers at either end. But an intercept is possible too. SSL relies on the signed server certificate being secure and trusted. And we've seen in the past couple of years that several registrars have been subverted, hacked into issuing inappropriate certificates. I'd assume that Advanced Persistent Threats like the NSA or China have much more sophisticated infiltration of the SSL certificate infrastructure. And once that's broken, the whole thing is broken. The EFF SSL Observatory is one way we would become aware of this kind of attack.
posted by Nelson at 5:54 PM on September 6, 2013 [1 favorite]


How would someone snoop in on an http or https exchange?

The answers above are great, and have deepened my understanding of some how random blackhat or even an organized group would do this. But does the NSA really have go through all that? They don't need to break into anything to take advantage of this. This (and whatever undisclosed math advances they've made) is the second step after traffic capture. This enables their offline analysis after they capture a data flow under the previously disclosed and acknowledged programs, the raison d'etre of the new data center, "Bumblehive."

From my understanding of the information reported so far, the NSA or FBI saunters into a major peering point with a FISA warrant and/or a National Security Letter, and install a Naurus that is designed and supported for these operations. (That image I just linked to is called 'prism.png' by the by. One wonders if the eponymous surveillance program wasn't too-cleverly referencing the design of the capture system underlying it.)

They store that session and subject it to an offline attack or a playback attack, using their backdoors and secret keys.

If you're talking about the NSA penetrating a host so they can access data other than what is being sent and received, then yes obviously we're back in the world of systems penetration. But the question was how someone/NSA spies on a data session over the wire, not how backdoored cypto can be used to crack a system. (If you can even call it cracking when you've caused the vuln to be built in.)

I've also been wondering if some advance knowledge of this leak was part of Groklaw's shuttering. Now I understand the 'we can't possibly trust any feasible digital communications, we can't trust our office systems, we can't secure our LAN" sentiment.
posted by snuffleupagus at 7:01 PM on September 6, 2013 [1 favorite]




Endless war.

AUSCANZUKUS has always been at war with Eastasia.
posted by XMLicious at 7:54 PM on September 6, 2013 [1 favorite]


morae: "I've been writing a php web application that incorporates a form in which users enter their name and address, and I'm thinking "boy, this should probably be a secure form, we should be using https." Then it hits me - I have no idea how an attacker would intercept POST data, even if it was cleartext."

This is precisely why the revelation of the backdoors in off the shelf hardware is so important. Assuming that the path is wires all the way, there are only two ways of intercepting your traffic. One is to gain physical access to the wires and tap them, which is what we knew the NSA to be doing. The other is to have control of a router, switch, or other device (could even be an IP-aware fiber multiplexer owned by the telco) between you and the server you are accessing. With that control, a person can send some or all of the transiting data elsewhere on the Internet. Typically this ability is used for intrusion detection or lawful intercepts, but is under the sole control of the owner of the device.

Thus, given half-decent security practice and a lack of security holes in the device's firmware, it's not a huge worry. You're more likely to get your own computer infected with spyware than you are to have your data intercepted by anyone other than government agencies and network owners. There have definitely been a long parade of security issues, not the least of which is clueless people using obvious passwords or even never changing them from the default, but they've typically been fairly difficult to exploit, and the rate of discovery of serious bugs like this has been going down.

Now it is known that the NSA has backdoors embedded in many of these devices. You can be assured that as we speak people are examining them very closely. Unless the NSA has done an impossibly exceptional job hiding their handiwork in every single model of networking device possibly up to and including many widely deployed server and desktop platforms the backdoor will be found by outsiders. It can reasonably be assumed that the design of the backdoor is likely robust against defense and difficult to detect in use, so it follows that once discovered it will see wide exploitation that will be difficult to defend against.

Even worse, if these backdoors are in endpoint equipment, like, say, Google's servers it's not just data in transit that is at risk, but also data at rest. The only answer there is Mega-style storage where the data is encrypted on your computer before being stored in the cloud. And that being possible depends on the NSA not having subverted the cryptographic routines in your operating system or even your CPU to make encrypted data easier to crack. Sadly, that has also been implied to be the case. That said, Bruce Schneier has seen some of the Snowden docs and thinks that it's still possible to have reasonably effective crypto, so it may not be quite that bad. Fully end-to-end encryption between hardened computers may still be possible to make work, if you can find a computer you feel comfortable does not have any NSA backdoors in it.

Failing that, the only way to transmit a message securely would be by using computers that have never been connected to a network, and even then great care must be taken if you plan on passing that message across the Internet by copying it onto removable media.

Now, before you go unplugging yourself from the Internet, practically speaking it's not that bad, at least if the bad guys don't decide to use their newfound access to shit in the pool and knock everything dead. You can still fart around on the Internet, just remember that everything you do could be seen by everyone on earth, including what you're doing in front of that webcam. This is basically how the sort of people who constantly get spyware infestations live now anyway, and even most of those folks don't get their bank accounts drained or nude pics from the webcam posted for all to see (or used for blackmail).

I for one am glad my bank's website doesn't allow money transfers. Credit cards are not my problem, so whatever, I'll still shop online. Not with my debit card, though. Nor will you find me typing my social security number into any online forms if I can help it. Other than that I'm going to do my best to keep any of my networks from having any uninvited guests and stop transmitting especially sensitive data over the Internet, encrypted or not. Back to taking tapes home for the off site backup, I guess. But you'll still find me futzing around here, just without a webcam plugged in. ;)

Not that it will help in the worst case scenario: The backdoors are so pervasive that the vaults are all thrown open to anyone who bothers to look. All the security you can muster doesn't help if someone gets into your bank's internal systems through an NSA-sponsored back door. I was going to say it would be a nightmare if the big database companies were infiltrated, but then I realized everything they've got could be just as easily stolen from the people who originate that data. Compared to the liability those companies will face if the worst case scenario pans out, most of us here have nothing to worry about though. Other than imminent economic collapse, of course, but that's not exactly a new threat.
posted by wierdo at 8:03 PM on September 6, 2013 [2 favorites]


And that being possible depends on the NSA not having subverted the cryptographic routines in your operating system or even your CPU to make encrypted data easier to crack.

CPUs don't have "cryptographic routines." You're more likely to have a problem with the crypto library that your client is using.
posted by kdar at 8:38 PM on September 6, 2013


Modern processors do have cryptographic routines, but AES-NI couldn't be compromised without it becoming inoperable. However the Intel instructions for random number generation, which were used on Linux directly for sometime, are likely subverted.
posted by Llama-Lime at 8:44 PM on September 6, 2013


bfranklin: That's a great overview of the things we need to be worried about today, but has less bearing on what this leak should make us worry about in the future.

There's not that much variation in what equipment is used in most networks. Find the backdoor in a second tier manufacturer's most common router model and you've suddenly got access to hundreds of thousands of routers across many thousands of networks and can undetectably monitor all or at least an interesting subset of any traffic traversing that network. Many large sites use SSL accelerators rather than terminating the encryption on the web server itself, so are vulnerable to having the traffic sniffed as it transits the network between the server and the device handling the encryption. That wouldn't be worrying if there weren't a backdoor in their routers and firewalls someone could use to access the internal network where that data is zipping along unencrypted for a few microseconds of its journey.

It doesn't take every one of the NSA's backdoors being found to make this a disaster, just one or two would do.

I wonder if anyone here could shed some light on whether most folks who use MPLS VPNs in place of long distance point to point circuits bother to encrypt the traffic across them or not. If not, that's a lot of business data ripe for the taking, because those VPNs, while logically isolated from normal Internet traffic, run over the same routers as Internet traffic.

On preview: kdar, yes, many do. These days it's pretty common for them to have hardware random number generators, subversion of which would be one of the least detectable ways of weakening someone's crypto, and even AES/SHA1/MD5 implemented in silicon. That's how a sub-1GHz VIA Nano can push over 1Gbps of AES-CBC encrypted IPSEC traffic. ;)
posted by wierdo at 8:45 PM on September 6, 2013 [2 favorites]


It ought to be noted that another obvious way to snoop on the information being filled out in a form on a web page is to simply look over the shoulder of the user as they're filling in the form. The technique of using a sensor to analyze the electromagnetic emissions, or "van Eck radiation", of an electronic screen displaying information and thus remotely read some of what's displayed on it has supposedly been in use since the mid-twentieth-century.

Hopefully we're not at the point of ubiquitous surveillance yet with bugs surreptitiously planted everywhere to literally look over your shoulder all the time, but except in some particularly secure environments everyone is carrying around sophisticated EM sensors (and cameras, of course) attached to computing devices that have all of the same basic security vulnerabilities we've been discussing above, in the form of mobile phones. I mean they can prevent planes from taking off if they're turned on, so who knows what else they can do?
posted by XMLicious at 9:06 PM on September 6, 2013


As Bruce Schneier stated in the Democracy Now interview linked above, the issue at the moment is the fact that we're all stumbling across the angry bear in the woods - I don't need to outrun the bear, I need to outrun YOU. The Van Eck stuff (and APTs to an extent) falls under a subset of highly expensive and targeted surveillance. This targeted surveillance, while certainly a problem, is beyond the scope of these revelations, and is not the the most important issue at stake here. The problem is the surveillance that is currently conducted across every piece of data that is transmitted online, regardless of the value of the target.
posted by antonymous at 10:26 PM on September 6, 2013 [1 favorite]


And when I say "highly expensive" I don't really mean that, it's just expensive from a gov't man-hours perspective. If you want to know how easy it is to actually target someone and gain access to their computer, Google "Metasploit tutorials" and I'm sure you'll find some useful info.
posted by antonymous at 10:35 PM on September 6, 2013


I wanted to try it before, because I want to learn more about cryptography and ways to keep web applications safe(r), but after these revelations now I really want to do the Matasano Crypto Challenge:
We've built a collection of 48 exercises that demonstrate attacks on real-world crypto.

This is a different way to learn about crypto than taking a class or reading a book. We give you problems to solve. They're derived from weaknesses in real-world systems and modern cryptographic constructions. We give you enough info to learn about the underlying crypto concepts yourself. When you're finished, you'll not only have learned a good deal about how cryptosystems are built, but you'll also understand how they're attacked.

HOW DOES THIS WORK?
You mail cryptopals at matasano.com. Just say you want in.

WAIT, WHAT?
Yes: you actually compose an email.

AND THEN WHAT HAPPENS?
We send challenges, 8 at a time. You send results. We send more.

There's no grading. We probably won't run your code (we'll definitely read it though). You can ask us for help; we'll try our best...

HOW MUCH CRYPTO DO I NEED TO KNOW?
None. That's the point.

SO WHAT DO I NEED TO KNOW?
You'll want to be able to code proficiently in any language. We've received submissions in C, C++, Python, Ruby, Perl, Visual Basic, X86 Assembly, Haskell, and Lisp. Surprise us with another language. Our friend Maciej says these challenges are a good way to learn a new language, so maybe now's the time to pick up Clojure or Rust.
I am terrible at math, but dammit I am pissed off at what is going on, and feel helpless at being able to stop any of it, so maybe doing something like this would be a productive step in the right direction...

And it sounds like other people posting here might like something like this too.
posted by Asparagirl at 11:04 PM on September 6, 2013 [11 favorites]


(The "Maciej" referenced in their description is Maciej Ceglowski, the owner/creator/proprietor of Pinboard, and it was his write-up about the Matasano Crypto Challenge on the Pinboard blog a few months ago that made me think it sounded like a cool idea.)
posted by Asparagirl at 11:11 PM on September 6, 2013 [1 favorite]


antonymous, I actually wasn't proposing a particular activity on the part of the NSA, I was responding to wierdo's discussion of the "only two ways" to intercept traffic to morae's web form. Arguably what I described there isn't a method of intercepting traffic however, just something with similar security and privacy consequences.

Thing is though, since you brought it up, it's also pretty easy to gain access to computers en masse without targeting anyone in particular using similar approaches to what you mention; that's why botnets become so widespread, because with knowledge of common vulnerabilities it's sowing grain on fertile ground. Botnets are most frequently used (as far as we know) for pretty mundane purposes like sending spam because they aren't that expensive.

Yes, it's a lower-order concern compared to the use of these NSA-introduced vulnerabilities to decrypt traffic that is passively being observed, but I don't see any reason to assume that there haven't been attempts to deploy software to gain access to internet-connected sensors—like the ones in mobile phones—en masse and record their output and that consequently you only need to worry about that stuff if you believe you're a surveillance target. Wierdo's mention above of unplugging his webcam is perfectly reasonable, if only because of things like ratting, whose creep/enthusiasts may now at some point take advantage of these NSA-introduced backdoors and vulnerabilities.

(But in any case as you say, it's far from being the most important issue at stake here.)
posted by XMLicious at 12:44 AM on September 7, 2013


SSL accelerators are a great example of dedicated encryption hardware whose exploitation would have far reaching consequences. This sort of hardware is everywhere, behind every big site. The big network players all have similar features in their products. If this dedicated SSL hardware is backdoored, it really doesn't matter what you do on the client.
posted by feloniousmonk at 12:54 AM on September 7, 2013


True of WAN acceleration (compression) gateway devices generally, no?
posted by snuffleupagus at 5:53 AM on September 7, 2013


but has less bearing on what this leak should make us worry about in the future.

and

If this dedicated SSL hardware is backdoored, it really doesn't matter what you do on the client.

Depends who is doing your architecture. For example, at my shop we insist on sending any regulated data PGP encrypted over a TLS channel specifically because we're concerned about issues with unencrypted PHI sitting around on file servers. Sure, it doesn't help if an advanced attacker can get the private key on the recipient's side, but defense-in-depth is all about giving yourself a bigger window for your security ops team to detect. We just need to start consistently playing defense-in-depth with encryption. The big lesson here is that secure tunnels alone are insufficient, and those of us sending anything of interest that are cautious about these things have been operating under that assumption at LEAST since HITECH with the encrypted in motion/encrypted at rest requirements. Make the attacker work harder to break your encryption architecture.

And there's the biggest countermeasure that isn't getting mentioned with all this doom-and-gloom. Sure, you can comp my router, but it's not going to be hard for me to whip up a perl script to generate a Snort ruleset from the current firewall rules that checks for anything that looks improper. Sure, you've got TAO, but you'd better be very, very good to figure out my IDS placement when I'm running it off of a tap and the back end management and reporting is on a heavily segregated security network.

You'd better subvert every. single. netflow collector that can see your abnormal traffic.

And you'd damn well better believe I have egress filtering that's going to make egress tunneling difficult.

Everyone's always like "Oh noes, red teams!" Blue team folks are used to working at a disadvantage. Just another challenge. :)
posted by bfranklin at 5:54 AM on September 7, 2013 [1 favorite]


This is a strange time to say it, but I think I'm jealous of your job.
posted by snuffleupagus at 6:23 AM on September 7, 2013 [1 favorite]


A friend observed that virtually all the NSA's sigint R&D and evaluation of schemes is contracted out. There are contractors like the Institute for Defense Analyses that the NSA runs as non-profit corporations that sell their services exclusively to the NSA. So it's not like both the brains and evaluation went to corporate goons, but..

In Mathematics, IDA has the Center for Communications Research in Princeton and La Jolla. CCR has few permanent staff but hires academic mathematicians temporarily.

Ain't hard to control academic mathematicians since they really only publish their work. If however the NSA interacts with black hat hackers similarly, then you'd expect their backdoor get resold or exploited for personal gain.
posted by jeffburdges at 6:30 AM on September 7, 2013


Can anyone guess the redacted parts of the budget excerpt and Bullrun document?
posted by jeffburdges at 6:38 AM on September 7, 2013


jeffburdges: "Can anyone guess the redacted parts of the budget excerpt and Bullrun document?"

If I'm a betting man, SSL acceleration chips/ASICs made by folks like Cavium.
posted by jquinby at 7:30 AM on September 7, 2013 [1 favorite]


the walrus: SETEC ASTRONOMY [link]

IAO and TIA — it's not like the government didn't tell us what they were going to do already doing years ago. Dazzled by the wonders of the Internet, we hoped it wasn't true (or a paranoid delusion), but now we know. The NSA and other state surveillance agencies know that we know, and they don't care. They will never let go of this level of information gathering capability.

redorgreen: But to subvert a protocol itself and wait for it to be adopted?

Look a little deeper into your telescreen, comrade — the Darpa-funded Internet is the overlying protocol, and it's brilliantly successful. Orwell was an amateur.
posted by cenoxo at 7:54 AM on September 7, 2013 [2 favorites]


Greenwald
NSA encryption story, Latin American fallout and US/UK attacks on press freedoms. The implications of the prior week's reporting of NSA stories continue to grow.
He has something else coming out on Sunday night airing first on Brazilian TV.
posted by adamvasco at 9:18 AM on September 7, 2013 [1 favorite]


> The magnitude of the change doesn't need to be that large, because all you need is a very small change to greatly reduce the entropy that goes into key generation.

But we're talking about the C++ compilers used for everyone's code, everywhere. So either the C++ compiler has to be able to detect that it's compiling a key generator - and how would that be accomplished? Or it has to give wrong answers for everyone who does anything similar to a key generator...

> And as demonstrated by the Debian and NetBSD bugs, bugs can persist for quite some time even when they're in plain sight, because there is a ton of code out there, and even auditing everything takes an enormous amount of people-hours.

Remember, we're not at all just talking about "changing a few bits in the random key". We're talking about code that hides itself in the compiler and then rehides itself in the new binary when you recompile the compiler. This isn't going to be done with a few hundred lines of code. And this isn't code that is going to look like anything legitimate.

> And it wouldn't take that much more effort to make GCC produce compiles of GDB that hide the minor changes as well.

"Not much more effort"?!? How, exactly, would you even start to do this?

Let me recap what's being proposed. We have these extremely complex programs like gcc and gdb. The idea is that they work perfectly on almost everything, but manage to detect that they are compiling gcc, gdb, clang, the disassembler, etc. and then put in all sort of code that gives a completely false picture of the world - but only when used on other of these broken tools.

Remember, too, that the code for this isn't monolithic - it's made up of a shitload of shared libraries, most of which are shared by dozens if not hundreds of other programs.

And remember that it has to work perfectly, all the time, as you have no way of accepting bug reports for it, and if it fails it's going to make someone's program not work, and eventually they're going to figure out that the code generation that they see isn't the code generation they get.

This isn't something that's going to be accomplished by missing some parentheses!

> I think Ken Thompson actually implemented this once upon a time - Reflections on Trusting Trust.

I'm very familiar with the original Ken Thompson paper. It doesn't seem to me that he actually did write the program and demonstrate it - the paper only sketches how it might be done. 99% of the work is hidden in one line: "compile('bug');".

And this would only work for the ultra-simple case of compiling a monolithic (i.e. not made up of shared libraries) C compiler where you needed to subvert exactly one, very well-defined operation. The idea of using that compiler to subvert the entire toolchain so it works perfectly well in nearly all cases, and in a few cases, gives a consistent result that's subtly different from the real-world result... whew!

> And with an obscure and hideous code base, say, OpenSSL, nobody wants to spend much time messing with it either. They may be profiling the speed critical cipher sections with a fine-toothed comb, but key generation is not generally a performance critical area.

This is an unrelated topic. And in this case I agree with you - given what we now know, it seems perfectly reasonable that they've hidden back doors in some of the standard security and crypto packages.
posted by lupus_yonderboy at 10:31 AM on September 7, 2013 [1 favorite]


The short Greenwald piece that adamvasco links above ends on a very interesting note. It quotes the Washington Post's description of an NSA denial:
"The Department of Defense does engage" in computer network exploitation, according to an e-mailed statement from an NSA spokesman, whose agency is part of the Defense Department. "The department does ***not*** engage in economic espionage in any domain, including cyber."
The three-asterisk pileup is in the original email. Greenwald concludes his piece by saying, "After Sunday, I think it will prove to be perhaps the NSA's most misleading statement yet."

Meanwhile, the New York Times is giving fresh coverage to the Surveillance State Repeal Act that Representative Steve Holt proposed earlier this summer. Here's Holt's summary of the bill, and here's the text of the proposed legislation.

Holt is one of the small number of scientists serving in Congress right now, and I don't think it's a coincidence that a scientist is proposing this legislation. This is hard stuff to understand if you don't have some kind of tech-y background. I think there are a lot of very smart non-specialists who don't clearly understand the magnitude of these revelations.

Holt's proposal includes a ban on government "mandated" backdoors. It's encouraging to see that he was in front of this issue before the backdoors were revealed. The wording is a little weak — I think it would still allow government "suggested" backdoors. Per his summary, it also requires the GAO to "regularly monitor such domestic surveillance programs for compliance with the law, including responding to Member requests for investigations and whistleblower complaints of wrongdoing".

I think the GAO thing is a great idea, but I still think there needs to be a full-blown Congressional investigation, something along the lines of the Church Committee.

Other news: The DOJ is finally going to release some of its secret legal interpretations related to surveillance.

Finally, here is an editorial that frames the recent revelations within the context of the last two decades of NSA power grabs. It's not the greatest essay in the world, but it's a good reminder of how the public has consistently rejected government surveillance demands — the Clipper Chip, Total Information Awareness — only to have the NSA turn around and develop those capabilities in secret.
posted by compartment at 10:36 AM on September 7, 2013 [8 favorites]


For once, I can shout "Steve Holt!" in a non silly fashion.
posted by MysticMCJ at 11:03 AM on September 7, 2013 [3 favorites]


D'oh! It's actually Rush Holt. This is, like, the fifth time I've screwed up and referred to him as Steve Holt.
posted by compartment at 11:11 AM on September 7, 2013 [3 favorites]


Yes, today's Greenwald piece has some interesting hints about global implications of a story that will come out on Sunday. Does anyone know what time Fantastico airs in Brazil?

And while I'm encouraged by Holt's proposed bill, I'm highly skeptical of any legislation that comes from within the United States. Part of this is because there is little chance of effective oversight or an enforcement mechanism over our intelligence-gathering capabilities internally. I think the only way this surveillance can be curtailed is through pressure from the international community, possibly via some sort of sanction. If we were playing Civ V, this is the part where every country simultaneously denounces the United States.

I agree that nothing short of a Congressional investigation will stop this, and even that would probably uncover far more information than could be revealed to the public, depending on what additional documents leak.
posted by antonymous at 11:49 AM on September 7, 2013 [1 favorite]


I've suggested this before by we must revoke the legislation that protects state secrets and executive privilege beyond what executive privilege innately allows, and forbid executive privilege from limiting the actions of congressmen or judges.
posted by jeffburdges at 1:17 PM on September 7, 2013 [1 favorite]


compartment: "D'oh! It's actually Rush Holt. This is, like, the fifth time I've screwed up and referred to him as Steve Holt."

\O/ STEVE HOLT!
posted by symbioid at 2:58 PM on September 7, 2013


Can anyone guess the redacted parts of the budget excerpt and Bullrun document?

Related question: does anyone know who redacted those parts of the document? I assume that they were added at the same time that the highlighting was, just based on their appearance, but it's hard to say for sure. If that's the case then it's...the NYT doing the redaction?

I'm disappointed if that's the case, since at least one of the redactions ("Complete enabling for XXXXXX encryption chips used in Virtual Private Network and Web encryption devices") seems to be nothing but the name of a company that's producing flawed products.
posted by Kadin2048 at 10:47 PM on September 7, 2013




Apparently U.S. claims they intercepted an Iranian "order" to attack the U.S. Embassy in Iraq in the event of a strike on Syria.

Why are they telling us this? Either (1) they're trying to goad us into war with Iran and/or Syria, or else (2) they're simply trying to make the NSA, etc. look good amidst Snowden's revelations. Ain't (1) because the right-wingers voting against the resolution will approve a more limited resolution and Iranian threats will discourage our foreign allies like the Brits and French, unlike out own jingoistic right-wing. So we're left with (2), they're simply drumming up support for surveillance.

It this story an ought right lie? Yes, I hope so. Why?

Imagine the NSA, etc. actually intercepted this order. What does that mean? If it's real intel, then they burned both that intel, and their ability to decode future communications form Iran. Alright, maybe Iran sends blustering bullshit messages to Iraqi Shiites all the time, but even if so the NSA should want to ability to gain some sense and intel from that bluster. After all, they want that low-level data on all of us!

I therefore conclude that, if they are not lying here, then they're directly placing our embassy in harms way for their own political gain. Ain't quite treason I guess, but I'd certainly hope they're ought right lying instead.

Now why fabricate or tell this story now? In fact, the Department of Defense claims the NSA "does ***not*** engage in economic espionage in any domain, including cyber" (asterisks in original quote). Yet, Greenwald says :

"One big problem the NSA and US government generally have had since our reporting began is that their defenses offered in response to each individual story are quickly proven to be false by the next story, which just further undermines their credibility around the world. That NSA denial I just excerpted above has already been disproven by several reports (see, for instance, the letter published in this article, or the last document published here), but after Sunday, I think it will prove to be perhaps the NSA's most misleading statement yet.

So tonight or tomorrow we likely learn that the NSA conducts economic espionage against friendly nations. That's huge. Arguably not as bad as endangering the embassy to protect their budget, but huge nonetheless.
posted by jeffburdges at 1:03 AM on September 8, 2013 [1 favorite]


According to Globo listings: -
Fantastico airs at 2045 local tonight.
posted by adamvasco at 1:47 AM on September 8, 2013


Greenwald: Is U.S. Exaggerating Threat to Embassies to Silence Critics of NSA Domestic Surveillance?
Just an excerpt from here maybe, but relevant to their new claims,
posted by jeffburdges at 3:51 AM on September 8, 2013 [1 favorite]




Obama administration had restrictions on NSA reversed in 2011. "The Obama administration secretly won permission from a surveillance court in 2011 to reverse restrictions on the National Security Agency’s use of intercepted phone calls and e-mails, permitting the agency to search deliberately for Americans’ communications in its massive databases".
posted by Nelson at 7:31 AM on September 8, 2013 [5 favorites]


Obama administration had restrictions on NSA reversed in 2011. "The Obama administration secretly won permission from a surveillance court in 2011 to reverse restrictions on the National Security Agency’s use of intercepted phone calls and e-mails, permitting the agency to search deliberately for Americans’ communications in its massive databases".

I'm sure this was all part of some larger strategy for pushing forward the progressive agenda.
posted by AElfwine Evenstar at 7:45 AM on September 8, 2013 [5 favorites]


Privacy Scandal: NSA Can Spy on Smart Phone Data

"The documents state that it is possible for the NSA to tap most sensitive data held on these smart phones, including contact lists, SMS traffic, notes and location information about where a user has been."
posted by Noisy Pink Bubbles at 8:40 AM on September 8, 2013 [1 favorite]


From the Washington Post article:
[Alex Joel, Civil liberties protection officer at the Office of the Director of National Intelligence (ODNI)] gave hypothetical examples of why the authority was needed, such as when the NSA learns of a rapidly developing terrorist plot and suspects that a U.S. person may be a conspirator. Searching for communications to, from or about that person can help assess that person’s involvement and whether he is in touch with terrorists who are surveillance targets, he said. Officials would not say how many searches have been conducted.
This is such absolute baloney. In the event of a "rapidly developing" terrorist plot, the NSA is already allowed to conduct warrantless surveillance. The FISA Amendments Act of 2008 increased the maximum warrantless surveillance period from 48 hours to one week. I'm disappointed that a "civil liberties protection officer" would present what looks like an intentionally misleading defense.

Also from the article:
They [Senators Wyden and Udall] introduced legislation to require a warrant, but they were barred by classification rules from disclosing the court’s authorization or whether the NSA was already conducting such searches.
Again, this is a clear-cut case of how secrecy rules are undermining our right to self-governance and informed consent. Without hearing any kind of adversarial debate, the FISC establishes a secret body of constitutional law that gives the government broad powers. When the legislative branch then attempts to restrict the use of the government power, they are barred from explaining what FISC has interpreted the constitution to allow, and they are prohibited from explaining why they believe this legislation is needed. Without the ability to define the status quo, meaningful deliberation is impossible.

This is eroding our basic system of checks and balances, and it is cause for real concern.
posted by compartment at 9:11 AM on September 8, 2013 [5 favorites]


So basically Wyden and Udall didn't have Mike Gravel's stones (sorry) or did was the Speech and Debate Clause "loophole" plugged after the Pentagon papers?
posted by entropicamericana at 9:21 AM on September 8, 2013 [1 favorite]


The case of Barrett Brown also seems to be related to this whole cluster fuck.

Brown began looking into Endgame Systems, an information security firm that seemed particularly concerned about staying in the shadows. “Please let HBGary know we don’t ever want to see our name in a press release,” one leaked e-mail read. One of its products, available for a $2.5 million annual subscription, gave customers access to “zero-day exploits”—security vulnerabilities unknown to software companies—for computer systems all over the world. Business Week published a story on Endgame in 2011, reporting that “Endgame executives will bring up maps of airports, parliament buildings, and corporate offices. The executives then create a list of the computers running inside the facilities, including what software the computers run, and a menu of attacks that could work against those particular systems.” For Brown, this raised the question of whether Endgame was selling these exploits to foreign actors and whether they would be used against computer systems in the United States. Shortly thereafter, the hammer came down.

The article ends with the author pointing to the very fact that compartment just made above:

While the media and much of the world have been understandably outraged by the revelation of the NSA’s spying programs, Barrett Brown’s work was pointing to a much deeper problem. It isn’t the sort of problem that can be fixed by trying to tweak a few laws or by removing a few prosecutors. The problem is not with bad laws or bad prosecutors. What the case of Barrett Brown has exposed is that we confronting a different problem altogether. It is a systemic problem. It is the failure of the rule of law.
posted by AElfwine Evenstar at 9:38 AM on September 8, 2013 [12 favorites]


Entropicamericana, Wyden and Udall wouldn't be in any legal jeopardy if they spilled the beans on the Senate floor, but I do think they would be at risk of losing their seats on the Senate Intelligence Committee and having their security clearances revoked. IIRC, Mike Gravel entered the Pentagon Papers into the Congressional Record during an impromptu meeting of the Building and Grounds Committee, so he might have had less to lose. I understand where you're coming from, and wish that one of them was willing to say more on the Senate floor, but I also think it's important that Wyden and Udall both stay on the Intelligence Committee.

At any rate, the bottom line (for me, at least) is that the current possibilities for punitive action have had the same effect on debate as would the threat of actual criminal charges.

Moving along: jeffburdges' link to the John Gilmore email contains this interesting tidbit:
In other circumstances I also found situations where NSA employees explicitly lied to standards committees, such as that for cellphone encryption, telling them that if they merely debated an actually-secure protocol, they would be violating the export control laws unless they excluded all foreigners from the room (in an international standards committee!).
Also, quick update to clarify that the WaPo article I refer to in my comment above is this one that Nelson linked to.
posted by compartment at 9:51 AM on September 8, 2013 [1 favorite]


An interesting discussion on the challenges of verifiable security, is found here :

http://silentcircle.wordpress.com/2013/08/17/reply-to-zooko/
posted by armoir from antproof case at 1:19 PM on September 8, 2013 [1 favorite]


Oops, I've overanalyzed that Iran wanting to bomb the U.S. embassy report, apparently it came from Saxby Chambliss, who one expects to fabricate such stories.
posted by jeffburdges at 3:09 PM on September 8, 2013


Some information has already gotten out about the report on Fantastico tonight:
The U.S. government allegedly spied on Brazilian state-run oil company Petroleo Brasileiro SA, known as Petrobras, according to the web site of Globo, Brazil's biggest television network.

The network, which a week ago aired a report alleging that the U.S. National Security Agency intercepted communications by the presidents of Brazil and Mexico, said its information again came from Glenn Greenwald, an American activist who has worked with fugitive former NSA analyst Edward Snowden to expose the extent of U.S. spying at home and abroad.

Promotional teasers from the network said it would give details of the spying on Sunday night, again on its "Fantastico" program.
Fabulous.
posted by jquinby at 6:04 PM on September 8, 2013 [1 favorite]


Some information has already gotten out about the report on Fantastico tonight:

From the article:

its information again came from Glenn Greenwald, an American activist who has worked with fugitive former NSA analyst Edward Snowden to expose the extent of U.S. spying at home and abroad...

Greenwald, a blogger and civil liberties activist who lives in Rio de Janeiro, declined to discuss the Petrobras allegations until after the program airs. Petrobras officials could not be reached for comment.


WTF Reuters? So now Greenwald isn't a journalist? What does that make the Guardian? Code Pink?
posted by AElfwine Evenstar at 6:24 PM on September 8, 2013 [7 favorites]


WTF Reuters? So now Greenwald isn't a journalist? What does that make the Guardian? Code Pink?

Greenwald via Twitter: On the NSA story, Reuters is the worst of the worst - not even close - so sleazy & unreliable
posted by ryanshepard at 6:36 PM on September 8, 2013 [2 favorites]


Alright, we're warming up with the revelations about Brazil, fair enough. Greenwald lives there. I'd hoped for juicier than oil companies, well that's not so surprising, but okay.

I'd expect the NSA next claims not to engage in industrial espionage either "against our staunchest allies" or "aside from critical natural resources supplies." After that claim, I pray we learn the NSA conducted industrial espionage against German, French, and lastly British companies, as well as a few other nationalities, like Japanese, Indian, and Saudi. Ideally targets should include financial institutions, because they've the most to lose and greatest political access.

Why save the Brits for last? Well, if we tell the British we're stealing from them first, they'll just roll over and ask for another belly rub. Anytime you tell the Germans that, they'll react with righteous indignation and quick action. France would react strongly regardless, but they'll play nastier once the Germans are indignant. In particular, they'd turn their own spy networks loose on U.S. companies. And the Brits might show a little spine after others show them how it's done.

All that's just my fantasy right now, but if it came to pass, it'd make the world a very cold place for U.S. interests, maybe even permitting foreign war crimes prosecutions of U.S. personnel or closures of bases in Europe.
posted by jeffburdges at 6:56 PM on September 8, 2013 [3 favorites]


I pray we learn the NSA conducted industrial espionage against German, French, and lastly British companies


There's already talk of this.

Germany fears NSA stole industrial secrets

Here's the NSA's response:

It is not a secret that the Intelligence Community collects information about economic and financial matters, and terrorist financing.

We collect this information for many important reasons: for one, it could provide the United States and our allies early warning of international financial crises which could negatively impact the global economy. It also could provide insight into other countries’ economic policy or behavior which could affect global markets.

posted by AElfwine Evenstar at 7:10 PM on September 8, 2013 [1 favorite]


Fantastico's report is up. Google translate does a somewhat clumsy job of it, though some interesting bits jump out:


The pre-salt oil is offshore, where the depth reaches two thousand meters - below a layer of salt rock, four kilometers into the earth. To reach that oil takes much technology. And in deepwater exploration Petrobras is a world leader.

Sonia Bridi: If you were a spy and had access to the system of Petrobras, which information you seek?

Adriano Pires, infrastructure specialist: I seek mainly information technology linked to oil exploration in the sea. Petrobras is the number one in the world in oil exploration in the sea. And the pre-salt exists anywhere in the world, there is pre-salt in Africa, there is pre-salt in the U.S. Gulf, there is pre-salt in the North Sea. So if I own this technology, I can take pre-salt wherever I want.

In the presentation of the National Security Agency of the United States, appearing documents prepared by the "GCHQ" the spy agency in England, a country which, as we have seen, appears as an ally of the United States in matters of espionage. The English agency work shows how two programs: "Flying Pig" and "Hush Puppy" also monitor private networks where information travels that should be safe. These networks are known by the acronym TLS / SSL.

The presentation explains how to intercept the information is held. A network attack known as "man in the middle", the man in the middle. In this case, the data are shifted to the center of the NSA, and then reach the recipient without anyone to know.

posted by jquinby at 7:14 PM on September 8, 2013 [2 favorites]


...and via Greenwald's twitter feed, a link to the report in properly translated English.
posted by jquinby at 7:32 PM on September 8, 2013 [6 favorites]


I'm kind of surprised that the NSA hasn't just kept its mouth shut until they think all of the revelations are out, especially if they're denying things they know are true.

But then again, I'm also kind of surprised that the NSA uses Tumblr.
posted by one more dead town's last parade at 7:34 PM on September 8, 2013 [1 favorite]


From the report:

Other targets include French diplomats – with access to the private network of the Ministry of Foreign Affairs of France – and the SWIFT network, the cooperative that unites over ten thousand banks in 212 countries and provides communications that enable international financial transactions. All transfers of money between banks across national borders goes through SWIFT.
posted by brina at 7:40 PM on September 8, 2013


Here's a mostly puff piece painting Gen. Alexander as a misunderstood patriot who only wants to protect America.

The Cowboy of the NSA

That being said it's a pretty good read.
posted by AElfwine Evenstar at 7:42 PM on September 8, 2013


Amusingly, the Germany fears NSA stole industrial secrets seemingly tries playing down the risk, but basically makes it sound inconceivable that NSA analysts did not steal industrial secrets from Germany.

Don't like how much your German suppliers charge? Just pay an NSA analyst to steal the technology and resell it to the Chinese. Voila, you create a vastly cheaper supplier, while everyone blames the Chinese.
posted by jeffburdges at 7:43 PM on September 8, 2013


And maybe a judiciously timed release about Germany will help the Pirates and Greens in the German election.
posted by jeffburdges at 7:48 PM on September 8, 2013


At this point it seem like we are being held hostage by our intelligence agencies. If we threaten to take away their capability to spy on everyone they threaten the loss of all liberty if there is another terrorist attack.
posted by AElfwine Evenstar at 7:56 PM on September 8, 2013


Sought by Fantastico, the NSA sent a statement attributed to a U.S. official, declaring “We do not use our foreign intelligence collection capabilities to steal the trade secrets of foreign companies in order to give American companies a competitive advantage.”

That's a mighty fine bit of wordsmithing there. So the NSA may:

1) Use its foreign intelligence collection capabilities to steal the trade secrets of foreign companies to benefit the US government.

2) Use its foreign intelligence collection capabilities to steal the trade secrets of foreign companies to benefit non-American companies.

3) Use its foreign intelligence collection capabilities in order to give the US government a competitive advantage.

4) Use its foreign intelligence collection capabilities in order to give American companies a competitive advantage.

5) Use its foreign intelligence collection capabilities in order to give non-American companies a competitive advantage.

None of those technically violate the NSA's response. Add in the exact definition of "our foreign intelligence collection capabilities"... Does the NSA use information gathered by the GCHQ to steal the trade secrets of foreign companies in order to give American companies a competitive advantage?

Then again the NSA could just be flat out lying. There's precedent.
posted by ryoshu at 7:59 PM on September 8, 2013 [5 favorites]


But then again, I'm also kind of surprised that the NSA uses Tumblr.

What's amusing is how little reader involvement the NSA Tumblr has.

NSA Tumblr post: 3 reposts (none of which seem favorable) and 5 favorites.

Glenn Greenwald Twitter post linking the Tumblr post: 80 reposts, 29 favorites.
posted by anemone of the state at 8:26 PM on September 8, 2013


That's a mighty fine bit of wordsmithing there.

Isn't it though? I'm starting to think, strongly, that the NSA only says things to the public to cover their asses, and always as narrowly as possible. If they were to say "The NSA has never been involved in the death of an innocent person," then you could bet there was wrangling behind closed doors as to who is really innocent, anyway -- otherwise, why would they bother talking about it?

The NSA: always thinking of modifiers in precise terms of everything they don't mean.
posted by JHarris at 9:49 PM on September 8, 2013 [1 favorite]


NSA Can Spy on Smart Phone Data
SPIEGEL has learned from internal NSA documents that the US intelligence agency has the capability of tapping user data from the iPhone, devices using Android as well as BlackBerry, a system previously believed to be highly secure.
posted by Joe in Australia at 10:45 PM on September 8, 2013


Oops, that was posted above. Sorry.
posted by Joe in Australia at 11:49 PM on September 8, 2013


I've forgotten the source, but one link suggested believably that the NSA actually carries out man-in-the-middle attacks. And both phones and browser security via CAs are perfectly vulnerable to man-in-the-middle attacks. We need not design our systems so vulnerably though :

We could standardize a list of 1024 cute icon and 64 distinctive deformations, so an icon plus a deformation represents 16 bits. We then patch FireFox and Chrome to display eight such graphics representing the session key when the user mouses over the lock icon. Any websites concerned about security could find tricky ways to tell the user what those graphic should be, such as by displaying related graphics or customizing a bayesian text generator to tell a story about them. In fact, such stories could be watermarked for authentication after the fact.

We're talking pure "security through obscurity" here of course, and it won't help real activists much. It'd enormously complicate the NSAs task of monitoring everyone though because they must catch up every time any webmaster changes their system or risk exposing themselves to their targets.

These "standard key verification images" help human-to-human communications even more. Zfone already verifies session keys by telling the users two letters. Images would strengthen text based tools like OtR.

Again, we're not trying to make the encryption unbreakable but to create a risk factors that exposes surveillance often enough to make surveillance extremely expensive. And people might enjoy verifying their keys by telling each other silly stories about cute pictures. :)
posted by jeffburdges at 5:59 AM on September 9, 2013


The presentation explains how to intercept the information is held. A network attack known as "man in the middle", the man in the middle. In this case, the data are shifted to the center of the NSA, and then reach the recipient without anyone to know.

Sunday's report was less explosive than I expected, given Greenwald's framing of it. I'm guessing this marks the point where the Snowden revelations begin to diminish in impact, and we start getting back to business as usual for the surveillance state.
posted by ryanshepard at 6:11 AM on September 9, 2013


There are several lines in Bruce Schneier's comments on The NSA's Cryptographic Capabilities worth highlighting :

Any practical attacks on symmetric algorithms like AES-256 are likely side-channel, random number generator, etc. attacks because "while the NSA certainly has symmetric cryptanalysis capabilities that we in the academic world do not, converting that into practical attacks on the sorts of data it is likely to encounter seems so impossible as to be fanciful."

Instead it's "more likely is that the NSA has some mathematical breakthrough that affects one or more public-key algorithms" because "[we've] absolutely no theory that provides any limits on how powerful [the mathematical tricks involved in public-key cryptanalysis] can be." and "[factoring breakthroughs] have occurred regularly over the past several decades, allowing us to break ever-larger public keys."

We could surely defend against mathematical attacks on public-key algorithms by increasing the key size and spending more time studying the random number generators, prime finders, etc.

Also, Bruce Schneier believes that "the fact that the NSA is pushing elliptic-curve cryptography is some indication that it can break them more easily."

There is concern now about the fact that Tor uses 1024 bit DHE keys, meaning 1024 bit RSA based Diffie–Hellman key exchange, but maybe the proposed switch to a 1024 bit elliptic-curve based Diffie–Hellman key exchange doesn't help matters given Schneier's comments.
posted by jeffburdges at 6:22 AM on September 9, 2013


I'd imagine the NSA spying on Petroleo Brasileiro SA is pretty explosive in Brazil, given their past issues with resource exploitation, and South America more generally. Yeah, Americans might think "hey brown people with oil", but at minimum it'll legitimize espionage against American companies, especially those bidding on Petroleo Brasileiro SA's finds. Ideally, Brazil might even reduce the long term economic damage by canceling some actions and reducing the planned extraction rate, which sounds good for everyone.
posted by jeffburdges at 6:30 AM on September 9, 2013


We'd rumors and gossip about that in the mathematical world a couple years ago that some NSA's breakthroughs might related to the Green–Tao theorem, although afaik the only evidence was timing of announcements, which really doesn't ammount to much. Anyone know if Green or Tao has much connection to the NSA via IDA-CCR? Of course, all academic mathematicians have friends with ties to IDA-CCR, but some more professionally than others.
posted by jeffburdges at 6:39 AM on September 9, 2013


I want to see an analysis of trades by NSA employees who day trade stocks. Anyone else imagine insider trading must be rampant there? Abuse is inevitable after all.
posted by jeffburdges at 8:17 AM on September 9, 2013 [2 favorites]


Interesting thoughts. I'd add commodities/futures trading. Which might be a little lower profile? Maybe in foreign markets?
posted by snuffleupagus at 9:12 AM on September 9, 2013 [2 favorites]


Or, if you're not out of tinfoil yet, maybe the NSA does this institutionally to build up slush funds to pay for the programs that they don't want to disclose to the Congress that they use them to spy on.
posted by snuffleupagus at 9:13 AM on September 9, 2013 [6 favorites]


Re man-in-the-middle attacks, the best defense against them is not some sort of semi-obscured key fingerprinting, but instead to use something like the SSL Observatory or better yet CMU's Perspectives Project to keep a list of various sites' key fingerprints. The latter offers a browser addon which may be of interest.

If someone MITMs you using a false server certificate (created using a Certificate Authority signing cert somehow), but without having control of the actual server that you are trying to connect to (if they did, it wouldn't be a MITM anymore; you'd just be talking to the bad guys), then the key's fingerprint will probably not be what it ought to. Most browsers will ignore this, as long as the chain of signatures up to the CA is intact; that's how the X.509 trust model (stupidly) works.

As long as you have built up a list of fingerprints before the MITM attack begins, you stand a fairly good chance at detecting that something is screwy. Provided, of course, you listen to the software when it warns you and don't just dismiss the warnings as false-positives. (This is a significant challenge in designing MITM countermeasures: how do you prevent it from having so many false-positives due to frequently changing server certificates, so that users don't just learn to ignore it?)

However, there is no good way of detecting a MITM unless you have information on the other site from before the MITM began, or you have a secure side-channel or trusted third party to verify the certificate. In other words, if you never had a secure channel to begin with, it is almost impossible to build one up. (It may be mathematically impossible, in fact I think that it is, but I haven't given it enough thought at the moment to say that for certain.) But if we assume that even entities like the NSA engage in SSL MITM tampering only occasionally -- because it's not impossible to discover and therefore is probably only good on a targeted basis, compared to offline decryption which they seem to be in the mood to do all the time -- not all hope is lost.

But just embedding information about the key fingerprint in the page content isn't very good, it's probably a false sense of security at best. However, many people have been looking at the problems inherent in SSL/TLS PKI for a while, and if the NSA stuff gives us a kick in the pants to stop trusting Certificate Authorities and instead move to some more resilient trust model, that could actually be a good thing in the long run.
posted by Kadin2048 at 9:46 AM on September 9, 2013 [3 favorites]


Novice question: Are MITM attacks are pretty much undetectable if an attacker were to set up shop at your local ISP or at the last link in the chain before the server you're talking to? Because it seems that in that case, anything coming in or out of those choke points could be manipulated, you couldn't verify from a different source that the fingerprint is wrong (unless you used a different ISP, but the last choke point before the remote server is still a problem). It seems like the NSA could easily walk in with an NSL at either of those two points and demand access.
posted by jason_steakums at 10:21 AM on September 9, 2013


Are MITM attacks are pretty much undetectable

FTFM. Damn you, brain.
posted by jason_steakums at 10:55 AM on September 9, 2013


Novice question: Are MITM attacks are pretty much undetectable if an attacker were to set up shop at your local ISP or at the last link in the chain before the server you're talking to?

Depends. The key things for MITM are 1) you need to sit somewhere where you can intercept the conversation between client and server, and 2) you need to sit somewhere that can also manipulate the DNS traffic that is returned to the client.

As to how that interacts with checking fingerprints... It all comes down to how the architecture is implemented, and the threat model the architect used when designing things.

It's basically an arms race. If the NSA sets up shop in your ISP, you can use 3rd party fingerprint validation until the NSA writes specific rules to manipulate that traffic. Then you need to start mirroring that info. Then the NSA adapts. The take-home from this? TLS alone is insufficient to guarantee confidentiality and integrity.

As I've mentioned before in this thread, if you're a professional you should have _already_ been operating under that assumption.
posted by bfranklin at 12:25 PM on September 9, 2013


Yes, we should use tools like SSL Observatory, Kadin2048, or better yet change the standard so that browsers raised warnings whenever a site's key changes from previous sessions, presumably signing the new key with the old key reduces the warning severity dramatically. Also DNSSEC.

Yet, real humans can verify session keys in fun manual ways that''re basically impossible to attack via MITM. Yes, you cannot add security this way if one side is a machine, but the adaptability of the human side adds insecurity to your attacker.

If your attacker is a traditional police state, like China or Iran, then they want you to know they're listening, so exposing their attack does nothing. If otoh, your attacker is a western fake democracy, they really don't want you knowing about their MITM attack, well unless they're trying to intimidate you.

In fact, you needn't involve the user at all, just continually move and change some javascript that checks the user's session key. If it finds anything, it warms them "You're being MITM attacks, this is probably the NSA, CIA, FBI, or DEA, but it might be more ordinary criminals. Watch your back!."
posted by jeffburdges at 12:50 PM on September 9, 2013 [2 favorites]


Are MITM attacks are pretty much undetectable if an attacker were to set up shop at your local ISP or at the last link in the chain before the server you're talking to?

SSL/TLS is specifically designed to thwart that kind of attack. As part of the process of establishing a secure channel, SSL/TLS verifies that you are actually talking to the desired server and not someone sitting in the middle between you and the server. It does this by verifying the server's X.509 certificate, issued by a certificate authority (CA). In order to successfully impersonate the server, the attacker has to present a certificate that your browser will accept as authentic. This means that the attacker either has to have either subverted a CA (which has happened, the Dutch certificate authority DigiNotar being the chief example), or, alternatively, the attacker has to have somehow previously arranged to have added their own CA to the list of CAs trusted by your browser.

I think it is likely that the NSA has subverted one or more CAs that are in the list of CAs that most browsers trust. However, if the NSA were to attempt a MITM attack via a forged certificate against all traffic to a high profile server (i.e. Google) or against just the traffic from a technically adept client, they could get caught via the fingerprint validation mentioned by Kadin2048 and bfranklin. As the DigiNotar case demonstrates, the exposure that a CA has been compromised can be devastating to the CA (ruining any value of secretly subverting the CA). I suspect that this means that if the NSA deploys MITM attacks against SSL/TLS they do it on a limited scale against targets that the NSA is confident lack the ability to detect and expose the certificate from the subverted CA.

On the other hand, it is not uncommon for employers to add their own CA to the list of CAs trusted by their own computers. So its entirely possible for an employer to place a box at the border of their network that performs a successful MITM attack against the SSL/TLS connections that their employees make when they access a secure web server from a browser running on one of the employer's computers.
posted by RichardP at 12:53 PM on September 9, 2013 [3 favorites]


Huh. So, again, total novice here, but it seems if you had a big enough pool of users from all over the world who ran software to automatically check those fingerprints and compare with each other, you could flag and map fingerprint discrepancies for any server and build up a picture of MITM attacks all across the internet. Say you had a semi-anonymous P2P network much like you have on a torrent, and when one person in that network tries connecting to a server it causes a handful of other peers in the network chosen at random to also connect to it and then the fingerprints are compared. If, say, 4 peers come back with one fingerprint, but one peer comes back with something different - this raises a flag. You wouldn't have to be technically adept to use something like that, just set it and forget it to help collect data or have a browser plugin that notifies you when something's up with the fingerprint you're seeing. There would be false positives but it would be a pretty cool distributed audit of the internet done SETI@Home style.
posted by jason_steakums at 2:23 PM on September 9, 2013


jason steakums: Alright, but what happens when the NSA connects a botnet to the P2P network that says a whole bunch of false fingerprints are correct?
posted by bfranklin at 2:30 PM on September 9, 2013


something something reverse Turing test (uh, I got nothin)
posted by jason_steakums at 2:39 PM on September 9, 2013


Jason: fwiw, what you're describing is right on the road to the web of trust used for the verification of PGP public keys. So you're onto a good idea; it just has known shortcomings.
posted by bfranklin at 2:44 PM on September 9, 2013


For a publication that's usually great at information-dense graphics to run something so USA Today-like in its vapidity . . .

Speaking of McPaper, he're's how USA Today covered this story the day after it came out.

Not that they are my normal go-to for this sort of story, but when I didn't see anything at all about it in the Gannett-owned local, I figured I'd see what the Gannett national flagship had. What it had included this:

Should the latest disclosures of decrypting techniques used as part of the NSA's PRISM anti-terrorism surveillance program keep you awake tonight?

Only if you do not believe President Obama and NSA Director Army Gen. Keith Alexander that any and all spying techniques are used strictly in very narrow circumstances to target suspected foreign terrorists, under a federal court review process.


Uh, yeah.
posted by one weird trick at 3:30 PM on September 9, 2013 [4 favorites]


After nearly every single explanation from the NSA and administration has been proven to contain falsehoods within a week?

Good one, USA Today.
posted by anemone of the state at 5:01 PM on September 9, 2013 [2 favorites]


it seems if you had a big enough pool of users from all over the world who ran software to automatically check those fingerprints and compare with each other, you could flag and map fingerprint discrepancies for any server and build up a picture of MITM attacks all across the internet

That is almost exactly what the Perspectives Project does. :)

They call the "pool of users" who track various' sites certificate fingerprints "network notaries", and you can choose which notaries you trust to (probably) not be compromised depending on your threat sensitivity. It's a decent system, and I'd like to see it become a core browser feature rather than an addon that will only ever be used by paranoids. (As a default configuration you could tell it to trust the brower manufacturer as a 'notary', which effectively matches the current situation where you are implicitly trusting your browser manufacturer's decisions of which CAs to include/trust.)

More generally on SSL/TLS PKI:

Although it'll be a good thing if BULLRUN ends up being the goad that gets Mozilla/Google to finally admit that TLS is busted, that was really just an issue of perception: it was broken before that. DigiNotar and Comodo should have enough to get things going, but instead it's become evident that some CAs are perceived as "too big to fail" (meaning, too big and used by too many sites to be suddenly revoked) by browser devs, and thus the whole check-and-balance that is supposed to exist between software vendors and CAs to keep the latter trustworthy is suspect.*

At the moment, we have only two ways of knowing about root-CA compromises: (1) we can trust various CAs when they say nobody has copied their key, which is silly since they can't ever say anything else and stay in business; (2) we can look at discovered instances of MITMs and try to extrapolate out who is doing it and where they got the certificates. Unfortunately, even Method 2 only gets us those hackers who are brazen enough with their certs to get caught pulling MITMs with them. Probably not state actors or APTs, who would presumably be smart enough to use them only occasionally to do stuff like drop malware which immedaitely obviates the need for the MITM.

* Case in point: Comodo should have gotten the Instant CA Death Sentence from every major browser and OS vendor for the Iran certs thing, pour encourager les autres if nothing else. (Perhaps as everyone who bought certs from them bought new ones from someone else, they could have taken a moment to reflect on why they're buying certificates and paying into this miserable system anyway.) But of course that didn't happen, and now there's precedent for letting some dumbass from Iran trick you into giving out certs to Yahoo.com and staying in business, which is ironic if your one fucking job as a business is being trusted to not do exactly that.
posted by Kadin2048 at 11:59 PM on September 9, 2013 [6 favorites]


NSA-Spionage: EU-Abgeordnete wollen Swift-Abkommen aussetzen
(NSA Spying: MEPs want to expose Swift agreement)
posted by jeffburdges at 3:15 AM on September 10, 2013


anemone of the state: I've actually been wondering if that bit of the article was put there with a wink-and-a-nod by the original author of the piece, meant to slip past either editors or readers who might still think this is all for our own good, or who are worried about those who at one level or another still accept the party line on this.
posted by one weird trick at 7:27 AM on September 10, 2013


Is there a single source or site which publishes Firefox compatible CRLs?
posted by Dr. Zira at 3:32 PM on September 10, 2013


Is there a single source or site which publishes Firefox compatible CRLs?

CRLs are distributed by design. Certificates are issued with a CRL location embedded in them for use as part of the validation process. Any single point would be a major risk for a DoS attack against the Internet's PKI.
posted by bfranklin at 5:28 AM on September 11, 2013




I've always felt suspicious about the claims that elliptic curve cryptography had similar security with comparatively small keysizes. Yes, that could easily be true without being as true as we believe. We might simply understand elliptic curves less well, while the NSA understand them quite well.

In particular, we should consider using both ECC and RSA/DSA in parallel because (a) afaik the algorithms parallelize poorly, who know maybe they should not be parallelized for security reasons, or maybe they should be, and (b) our phones going quad core makes more parallel computation available. We'd hope ECC gave us all the security people believe it does, but a 2048 or 4096 bit RSA key makes a nice fall back. You'd either sign with both ECC and DSA or transmit the symmetric key as the the XOR of the values communicated separately by RSA and ECC.

You could always achieve more security by simply dedicating all the bits to one good algorithm, but if only the computational time matter, not the actual space, then maybe this buys additional security.

Another separate concern is whether ECC is always implemented as well as RSA. RSA's simplicity might both encourage amateurism and make more through verification easier.
posted by jeffburdges at 7:07 AM on September 11, 2013




Asparagirl, the Matasano challenges are fun (though they do take some time) and drive home how easy it is to screw up crypto-related code in a way that opens up an unexpected vulnerability. (I've done 1.5 sets so far.)
posted by jjwiseman at 5:13 PM on September 12, 2013


New NSA Leak Shows MITM Attacks Against Major Internet Services. "hacked into a target’s Internet router and covertly redirected targeted Google traffic using a fake security certificate so it could intercept the information in unencrypted format" ... "the 2011 DigiNotar hack was either the work of the NSA, or exploited by the NSA."
posted by Nelson at 8:45 AM on September 13, 2013 [3 favorites]


Just in case you need more reason to dislike telecoms :
Verizon's Plan To Turn the Web Into Pay-Per-View (elsewhere)
posted by jeffburdges at 9:21 AM on September 13, 2013


Interesting that Schneier mentioned Tor specifically the MITM article, probably way past time we should all be running Tor nodes.
posted by jeffburdges at 9:29 AM on September 13, 2013


FBI Admits It Controlled Tor Servers Behind Mass Malware Attack. "the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors.". Only tangentially relevant to this NSA discussion, but it seemed the best place for it.
posted by Nelson at 3:49 PM on September 13, 2013 [5 favorites]


Gov’t standards agency “strongly” discourages use of NSA-influenced algorithm. Specifically the Elliptic Curve algorithm that was flagged as possibly having a back door a few years ago.
posted by Nelson at 4:03 PM on September 13, 2013 [3 favorites]




A important debate that would never have occurred if someone hadn't broken the freaking law. God.
posted by JHarris at 9:49 PM on September 13, 2013 [2 favorites]


May many more do the same.
posted by anemone of the state at 10:26 PM on September 13, 2013


So… what the hell are all us middle-aged programmers supposed to do for a living once the U.S. security apparatus completely torpedoes the tech sector in this country? Jesus wept.
posted by ob1quixote at 2:57 AM on September 14, 2013


But what could go wrong: Google knows nearly every Wi-Fi password in the world

Via The Daily Dot, which also asks Is Dropbox reading your documents? Answer: yes, although it says that this is only to create "document previews". This might still be an issue IMO, because even if you have an "expectation of privacy" in your own document, you don't necessarily have one in their preview.
posted by Joe in Australia at 3:50 AM on September 14, 2013 [1 favorite]


And you wouldn't want to break the Internet, would you? -
Google's Eric Schmidt says government spying is 'the nature of our society'
posted by Joe in Australia at 8:51 PM on September 14, 2013 [1 favorite]


The nature of our society is open, free access. Everything good arises from that. Official secrecy retards development, fosters mistrust, enables blackmail, and is poisonous to the very idea of democracy. Eric Schmidt can go to hell.
posted by JHarris at 9:26 PM on September 14, 2013 [4 favorites]




Ooh, this is big: French ministers told to use only secure comms post-PRISM
French newspaper L'Express has published a memo it says comes from Christophe Chantepy, chief of staff to French prime minister Jean-Marc Ayrault, and which recommends French cabinet ministers stop using smartphones for phone calls because they are not secure.
It's basically all reasonable advice, but people following it will be constantly reminded that they are potentially targetted by the USA. This is such a bad situation.
posted by Joe in Australia at 11:47 PM on September 14, 2013 [2 favorites]


Related to On the NSA by Matthew Green linked above :

OpenSSL is written by monkeys by Marco Peereboom
posted by jeffburdges at 1:40 AM on September 15, 2013 [2 favorites]


The longer quote from Eric Schmidt is worth considering
"The real danger [from] the publicity about all of this is that other countries will begin to put very serious encryption – we use the term 'balkanization' in general – to essentially split the internet and that the internet's going to be much more country specific," Schmidt said. "That would be a very bad thing, it would really break the way the internet works, and I think that's what I worry about. There's been spying for years, there's been surveillance for years, and so forth, I'm not going to pass judgment on that, it's the nature of our society."
Also
But he said it was legitimate to have a debate about how the NSA carried out its surveillance. He said: "We all have to look at ourselves and say: 'Is this what we want?'"
posted by Nelson at 6:53 AM on September 15, 2013




There are no words.
posted by entropicamericana at 12:56 PM on September 15, 2013


Firedoglake links to a Der Spigel story about the NSA hacking into the Visa transaction network. I'll be honestly surprised if anyone trusts the NSA anymore, and the revelations keep coming.

On Schmidt's quote, above:
"The real danger [from] the publicity about all of this is that other countries will begin to put very serious encryption – we use the term 'balkanization' in general – to essentially split the internet and that the internet's going to be much more country specific," Schmidt said.

Or, maybe, the real danger is something you're not allowed to tell us about!

But he said it was legitimate to have a debate about how the NSA carried out its surveillance. He said: "We all have to look at ourselves and say: 'Is this what we want?'"

Why the hell do we need the head of a giant internet company telling us what's "legitimate to have a debate" about? Especially since he's long been privileged to have information about it he's not allowed to tell us. To hell with him.
posted by JHarris at 1:25 PM on September 15, 2013 [2 favorites]


Inside the mind of NSA chief Gen Keith Alexander: A lavish Star Trek room he had built as part of his 'Information Dominance Center' is endlessly revealing

YIKES. It's important to realize, ultimately, that it's not impersonal forces, machines or demigods that are in control over the information here but people, people who are just as weird, flimsy, whimsical, fallible and, sometimes, obsessive as we are. I'd actually like the guy for wanting this, except of course it comes at the expense of our privacy and billions of taxpayer dollars.

(I move we nickname the guy J. Edgar Picard.)
posted by JHarris at 1:43 PM on September 15, 2013 [1 favorite]


I really think that we should stick with "Hoover".
posted by jquinby at 1:56 PM on September 15, 2013


(I move we nickname the guy J. Edgar Picard.)

Don't insult Picard like that.
posted by bfranklin at 4:31 PM on September 15, 2013 [3 favorites]


I feel like someone must've gotten their fan cultures confused in the reporting of that story, since presumably no one who'd even watched a single Trek episode could confuse the Enterprise's political ideology with the NSA's — perhaps he actually asked for a room that looked like the Battlestar Pegasus?
posted by RogerB at 4:39 PM on September 15, 2013 [2 favorites]


I find it somewhat depressing that nobody involved just pointed out that the room was an embarrassingly obvious infantile power fantasy.
posted by jaduncan at 5:40 PM on September 15, 2013 [2 favorites]


Frankly I might have been more impressed with something like this.

In any event, my understanding is that this sort of set-dressing approach is not uncommon, especially if you're parading folks in and out in an effort to maintain (or increase) your funding.
posted by jquinby at 5:57 PM on September 15, 2013 [1 favorite]


I'm not really sure how much architecture really informs this discussion, but according to the architects' website, this was completed in 1999 - 2 years before General Alexander became the commanding general at Fort Belvoir.
posted by nightwood at 6:07 PM on September 15, 2013


I find it somewhat depressing that nobody involved just pointed out that the room was an embarrassingly obvious infantile power fantasy.

It's because that goes without saying.
posted by JHarris at 8:10 PM on September 15, 2013


Take Back the Internet, Bruce Schneier, Schneier on Security, 15 September 2013
posted by ob1quixote at 11:50 PM on September 15, 2013 [1 favorite]


I'd like to get some feedback on this idea:

We know the NSA has been building a really, really big data center, and the assumption has been that it's there to store calls and internet traffic. Is it possible that it's really the world's biggest rainbow table? Suppose the NSA have some clever insight into the way "random" numbers are calculated, perhaps because they had input into the design of the number generators. The effective size of RSA keys might be much smaller than we think: large enough to require a huge data center to calculate and store, but small enough for this to be practical.

Any thoughts?
posted by Joe in Australia at 12:46 AM on September 16, 2013


Rainbow tables are used on hashes. Primes are used on RSA, DSA, or Diffie–Hellman keys.

It could easily contain specialized hardware that attacks hashes or keys or both in parallel. Yes, folks speculate about that. I've even heard speculations that some mathematical breakthrough justified the expense, possibly around the Green-Tao theorem.

After Snowden though, I'd consider such speculations extremely "charitable" in that they assume the data center served the NSA foreign intelligence mission. At preset, I'd assume the data center just provides them a larger time window into everyone's internet activity, making it a $2B violation of the 4th Amendment.
posted by jeffburdges at 1:46 AM on September 16, 2013 [2 favorites]


Well, not a rainbow table but its equivalent. Let's suppose that our algorithms for producing random numbers are borked, and the NSA knows this. So when people try to pick a random prime of around 512 bits they don't end up with an even distribution among those primes; they are much more likely to pick from a subset consisting of primes for which NSA has already calculated every possible combination of keys. So every time NSA wants to break a key it just has to look it up. My half-assed calculations indicate that you would need a million hard drives to store, say, 2^50 keys in a minimalist fashion, but there are probably smarter ways to do it - and even if you have to send a clerk to grab a hard drive from a shelf and plug it in, it's still faster than trying to break it the old fashioned way.
posted by Joe in Australia at 2:34 AM on September 16, 2013


Let's suppose that our algorithms for producing random numbers are borked, and the NSA knows this.

I know a little bit about pseudo-random number generation, only enough for game design purposes. Still, in the event that it might be helpful, I will throw it into the pot.

They're pseudo-random numbers -- having an "algorithm" for producing random numbers is nonsensical. What we're talking about are algorithms that produce sequences of numbers that have, to our eyes, the properties of being random. But that's ultimately illusory; they're still patterns, and they have no more the properties of true randomness as the sequence of integers.

Computers are by their nature deterministic machines; if they start doing random things it's generally a sign that things are going very wrong somewhere.

I did a bit of Wikipedia browsing on pseudo-random number generation. I turned up the story of RANDU, a notorious generator that IBM once pushed because the processors of the time had instructions of use in producing them relatively efficiently. They were actually not very random at all, but they became widely used before that was discovered. Oops.

The desirability of a RNG lies not just in the apparent randomness of its ordering, but in how easy it is to reverse engineer the seed from the values. RNGs generally work by starting with a seed value, putting that seed value through some obfuscating process (in the case of simple generators, this can be as simple as multiplying it by a constant, adding to it another constant, then taking the remainder of division by a very large prime), then using that new number as the seed for the next value. The result returned is also this number, but generally what gets used is only a portion of the value -- returned values might be 32 bits long for example, bu most of that won't be visible to end users if the program is looking for a value from 1 to 4. The more such information is discarded, the more data an attacker will have to gather to figure out the seed.

The result of a RNG is a sequence of values, and ideally it's one that attackers won't be able to backtrack through. Because if you can figure out the seed, you can replay the sequence yourself, and get the same successive seeds that the original person used. If these numbers are being used as, or to generate keys, then you now know what the keys are, or are at least a solid step on the way to figuring that out.

By the way, human beings themselves are not very good sources of randomness either; try making up a list of random numbers yourself sometime, and it won't be too far into it that it'll become evident that you use obfuscating patterns too.

The solution to this, it seems to me, is to use better sources of randomness. Recent OSes can provide sources of randomness of stronger tenor. The Linux kernel, if I remember this correctly, maintains an "entropy pool" of random bits, added to through things like the precise timing of user keypresses. It can also utilize hardware randomness sources, although if the NSA has compromised such things that might not be desirable I guess.
posted by JHarris at 3:52 AM on September 16, 2013 [1 favorite]


(If anyone finds anything to correct or add to the above, go ahead. Again, my interest in random numbers is mostly practical concerning game development.)
posted by JHarris at 12:48 PM on September 16, 2013


The Linux kernel, if I remember this correctly, maintains an "entropy pool" of random bits, added to through things like the precise timing of user keypresses. It can also utilize hardware randomness sources, although if the NSA has compromised such things that might not be desirable I guess.

The traditional Linux entropy pool and the output of an on-chip hardware RNG (e.g. Intel's RdRand) are kept separate but XORed together, if the latter is available, as part of the get_random_bytes() function.

A commented section of the relevant source code has been floating around. What's interesting is that the original code's comments are actually incorrect/contradictory; they say near the top of the file that the hardware RNG is not used in the function, when in fact it really is. Arguably it's in a benign way, but it's still used. At the very least I'd think that should be corrected.

Interestingly, FreeBSD uses a completely different random-number-generation scheme from Linux's entropy pool. The PRNG algorithm was designed, in part, by Bruce Schneier, and when in use it is periodically reseeded from real-world sources (keyboard interrupts, etc.). It's supposed to be more safe for virtualized systems, and probably is under some conditions. However, recent FreeBSD versions use the on-chip RNG (e.g. RDRAND/Bull Mountain) in preference to the PRNG algorithm without any postprocessing — something that seems like an extremely bad idea in retrospect. It's apparently possible to disable this behavior.
posted by Kadin2048 at 1:14 PM on September 16, 2013 [2 favorites]


I'm slightly nervous about just XORing in Intel's RNG, well who knows what it actually does, probably best post-processing it first, given that Intel really cannot be trusted.

I'm curious if anyone tries to rebuild Clan+LLVM using a GCC that predates the LLVM, rebuild Debian or whatever with that GCC, and compare results with regular GCCs. In principle, you could weed out the theoretical backdoor outlined by Ken Thompson, which probably even the NSA wouldn't try, given the maintenance costs, but who knows.
posted by jeffburdges at 1:27 PM on September 16, 2013


compare results with regular GCCs

I think that the results would almost certainly be different, and it would be very hard to know definitively whether the difference between one compiler and the other were purely benign or whether they were due to some sort of malicious behavior by the new compiler. That's what makes the theoretical Thompson attack so problematic. Modern compilers won't necessarily even come up with the exact same binary when run against the same input file two times in succession (there's some randomness built into stuff like the branch prediction logic).

Not saying that the analysis wouldn't be interesting but I think it'd be very, very hard to come up with a smoking gun.

Really, what we should have is some sort of national clean-room information laboratory that's validated from the ground up as being trustworthy. It's such an expensive capability to develop that it's probably a national-scale endeavor. Then key pieces of code could be compiled there. That would be a good job for an entity like NIST, in theory, except that now we know they were at least influenced by, if not actually in collusion with, NSA. Unfortunate, that.

I'm slightly nervous about just XORing in Intel's RNG, well who knows what it actually does, probably best post-processing it first

That would seem to be the safe approach, certainly. Unfortunately, HRH Torvalds was pretty dismissive of security concerns in /dev/random so I'm not sure what if any changes will be made. It seems like it would be pretty straightforward to take the output of the on-chip RNG and use it only as one possible source of entropy among others ... although I guess if you don't trust the CPU even that could be problematic. It's a hard problem at the least, but right now the kernel community doesn't seem to want to admit that there's a possible problem there at all.

My solution, of course, is simply to be such a cheapass that none of my computers are new enough to have one of those fancy-dancy Bull Mountain / RDRAND things anyway. Hah. (*cries*)
posted by Kadin2048 at 2:16 PM on September 16, 2013


In principle, you could control the compilers source of randomness, and Clang+LLVM is far more modular, so enough exrta code anywhere might stick out. Just saying "well no cross compiler virus propogates itself by keeping a patch for every version of gcc, clang+gcc, etc. ever" helps. You could then make cleaner build enviroments for distributions.
posted by jeffburdges at 4:07 PM on September 16, 2013


Now you see, this is why I sometimes just try to throw in what I know about an issue in a quiet thread -- sometimes it causes the really knowledgeable people to chime in with interesting stuff!

From my reading on the /dev/random Linux random number generator, it's implemented using a secure hash, basically a pool of bytes that can be spun by random sources. The nature of such a pool is, so long as the system remains secure (only privileged users can directly access the secure hash), injecting more bytes can only add to the randomness. So adding to the secure hash from hardware services at least doesn't harm things, unless, I guess, it affects the system's estimate of the randomness in the pool.

BTW, searching Teh Googles for "linux random secure hash" came up with this Stack Exchange thread where developers are strongly advised by multiple people to use /dev/urandom, not /dev/random, because who the heck needs strong randomness anyway? Those concerns seem incredibly quaint now....

(The difference between them is, when the system's estimate of the randomness of the entropy pool gets low, /dev/random will block, halting execution of the thread until other sources can fill it back up again, while /dev/urandom will keep serving up bytes regardless.)
posted by JHarris at 5:42 PM on September 16, 2013




From Schneier's blog: Surreptitiously Tampering with Computer Chips

This is really interesting research: "Stealthy Dopant-Level Hardware Trojans." Basically, you can tamper with a logic gate to be either stuck-on or stuck-off by changing the doping of one transistor. This sort of sabotage is undetectable by functional testing or optical inspection. And it can be done at mask generation -- very late in the design process -- since it does not require adding circuits, changing the circuit layout, or anything else. All this makes it really hard to detect.


Quite scary. There's probably a way to make provably-correct chips, and we might be forced down that road. I imagine that they'd have to be a lot less sophisticated than present designs.
posted by Joe in Australia at 7:13 PM on September 16, 2013 [1 favorite]


VIA's security application notes [pdf] document describing their Padlock engine features has a general discussion of random number generators as well as implementation specific details. It goes in to various sources of randomness, mixing said randomness, and more. And that's just the RNG part.
posted by wierdo at 2:22 AM on September 17, 2013 [1 favorite]


UK Cryptographers call for U.S. and U.K. to out deliberately weakened protocols and products
Bristol Cryptography Blog : Open Letter From UK Security Researchers

Apparently Snowden only accessed overview type information about the NSA's activities, which really never needed to be classified anyways, not technical details that actually require secrecy, which makes sense if you think about it. I'd love it though if anyone leaks proof that vulnerabilities created by the NSA were later found and exploited by criminals or foreign governments.
posted by jeffburdges at 2:53 AM on September 17, 2013 [2 favorites]


Oh, one interesting thing to note is a difference between the implementation of VIA's hardware RNG and Intel's is that VIA allows you to get the unwhitened output of the RNG before any of the hardware whitening routines operate. It appears that in Intel's implementation, you just get what you get, and they claim that as an advantage.
posted by wierdo at 2:57 AM on September 17, 2013




Google's translation of Jeffburdge's link. Basically, the Europeans are very unhappy that the USA is totally ignoring their data protection laws, in violation of agreements it signed with them.
posted by Joe in Australia at 4:59 PM on September 17, 2013 [1 favorite]




So does that mean there is a back door in Linux or what? I guess we have to assume everything has some type of backdoor in it nowadays.
posted by AElfwine Evenstar at 9:36 AM on September 19, 2013


wierdo,

The report on the Intel RNG basically reads "We never saw the hardware, and production removes all the debug data that would prove any of this was true".

That's pretty weird.
posted by effugas at 9:50 AM on September 19, 2013 [2 favorites]




Wow! Just imagine how much better you could hide a backdoor in C++, thanks to overloading, complexity, etc. Inheritance and casting surely makes Java quite vulnerable too, although interfaces might increase vulnerability less than most polymorphism features.

I'd assume the strongly typed functional languages like Haskell and ML offer most resistance, although commonly their compilers offer "weaken the type checking" compile time flags, which probably eliminate any benefit.
posted by jeffburdges at 12:36 PM on September 19, 2013






RSA warns developers not to use RSA products. "RSA has recommended that developers desist from using the (allegedly) 'backdoored' Dual_EC_DRBG random number generator -- which happens to be the default in RSA's BSafe cryptographic toolkit."
posted by Nelson at 7:09 PM on September 20, 2013 [3 favorites]


Fully Countering Trusting Trust through Diverse Double-Compiling

But you need a trusted compiler — isn't the point of Ritchie's lecture that you can't even trust the build tools?
posted by Blazecock Pileon at 10:38 AM on September 21, 2013


But you need a trusted compiler — isn't the point of Ritchie's lecture that you can't even trust the build tools?

As mentioned above, there's a certain suspension of disbelief that needs to go into believing the compiler has been subverted such that it will subvert future builds of compilers that are built with whatever ridiculous set of custom build flags with source that has certainly diverged from the original subverted compiler on diverse architectures.

That said, it seems that in the interest of eating your own dog food (note to people that develop curriculum), a security engineer should make a point to take a course on compilers and build one's self a trusted one. If only so you have the option to verify available to you.
posted by bfranklin at 3:04 PM on September 21, 2013


In practice, there is a limit on the NSA's ability to employ Ken Thompson's attack because all the participating compilers, linkers, etc. must know about all other participating software.

The LLVM started in 2000. Clang started much later. All the GCC 2.95 releases occurred in 1999.

Find yourself a GCC 2.95 earlier or an EGCS or any other pre-2000 compiler. Find a chain of documents whose hashes corroborate this compiler being pre-2000, like say locate a pre-2000 signature of GCC by the FSF in an old printout or a tape backup, or maybe a chain of signed Usenet postings. Just note, I'm not talking about verifying some document's RSA signature, but actually verifying a chain of hashes manually. Repeat this process with any software you consider suspect, like the Linux kernel and GNU dynamic linker, libc, etc.

Next, find build yourself a minimalist air gapped machine : Install all this verifiably pre-2000 software. Avoid even installing any login or networking related tool, just boot directly into the shell. Install a small hack that let's you control the randomness used by GCC and Clang+LLVM. Recompile a modern Clang+LLVM. Now you've a modern Clang+LLVM that contains no compile time modifications because the NSA cannot go back in time to modify a 1999 GCC, Linux, etc. for software first written in 2000.

Use this Clang+LLVM to recompile a modern GCC, Linux kernel, and GNU dynamic linker, libc, etc. Finally, publish all this software along with the public hash chains you used to verify them and the randomness your compilations employed, so that others may reproduce your work exactly. Invite anyone to (a) inspect their source code for suspicious code, (b) use them to hunt for differences in compiler output elsewhere, and (c) use them for clean build machines.
posted by jeffburdges at 1:33 AM on September 22, 2013


AElfwine Evenstar: "So does that mean there is a back door in Linux or what? I guess we have to assume everything has some type of backdoor in it nowadays."

WTF. I spend years trying to keep my tinfoil hat tendencies toned down and crap like this happens.
posted by Samizdata at 1:56 PM on September 22, 2013 [1 favorite]


WTF. I spend years trying to keep my tinfoil hat tendencies toned down and crap like this happens.

I was getting ready to make the switch myself, and have a couple friends who already have. Then this shit comes out. Assuming that there isn't a back door in Linux; is it safe to dual boot with windows or are you screwing yourself the moment you install Windows?
posted by AElfwine Evenstar at 7:32 PM on September 22, 2013


It depends on what you're worried about Windows doing to Linux. If you're worried about a relatively unsophisticated (but still rather sophisticated for the usual malware) attack that tries to mount your Linux partition and read data from it, you can use dm-crypt and have almost everything encrypted such that it cannot be read from Windows even with a filesystem driver that can read a Linux partition.

However, this is vulnerable to an attacker rewriting your Linux kernel or initrd from Windows. If, however, you have a computer that supports secure boot, you can configure your computer such that it will only boot a properly signed kernel which will only read a properly signed initrd and thus can't be rewritten by a Windows virus to do whatever. At least if you're trying to dual boot Windows 8 and Linux. I don't think Windows 7 can be booted with secure boot enabled.

Of course, your data is always vulnerable to being wiped intentionally or accidentally by something done in Windows, but you can make it hard for someone to steal your data using Windows as a vector.
posted by wierdo at 7:55 PM on September 22, 2013


There are three likely OS level attacks : (1) Network stack holes that let remote attackers get in, probably buffer overruns. (2) Privilege escalation attacks that let someone already inside, maybe buffer overruns maybe not. (3) Intentionally weekend random number generators.

For (1), minimize direct network access by properly configuring a firewall. In particular, I'd make said firewall tighter for Windows than Linux, possibly by making the Linux machine act as a second firewall for the Windows machine, or virtualizing Windows under Linux rather than dual booting.

All this helps with (2) since an attacker must get inside somehow, but the specific advice for (2) should be do as much as possible on the Linux machine. For (3), use the Linux machine for anything sensitive.

I'd recommend an air gapped machine if you do anything that is both sensitive and makes government interference likely, like early organizing for certain protests : Anonymous, Keystone XL, etc.
posted by jeffburdges at 2:44 AM on September 23, 2013


With regards to Linus Torvalds being asked to place a backdoor in Linux (via Mashable):
"Oh, Christ. It was obviously a joke, no government agency has ever asked me for a backdoor in Linux," Torvalds told Mashable via email. "Really. Cross my heart and hope to die, really."
posted by RichardP at 8:25 PM on September 23, 2013 [2 favorites]


Who rooted kernel.org servers two years ago, how did it happen, and why?. (Answer: we still don't know.)
posted by Nelson at 9:02 AM on September 24, 2013 [3 favorites]


What the heck is going on with NIST’s encryption standard, SHA-3? (Surface answer: NIST's standardization process seems to have weakened the underlying Keccak algorithm. Deep answer: NSA has hopelessly compromised NIST's ability to standardize any cryptography technology, thereby weakening US and global security.)
posted by Nelson at 2:29 PM on September 24, 2013 [2 favorites]


Deep answer: NSA has hopelessly compromised NIST's ability to standardize any cryptography technology, thereby weakening US and global security

That's not a conclusion that the blog's author came to.
posted by nightwood at 9:21 PM on September 24, 2013


Fair enough, the CDT blog says "It’s in no one’s interest to feed the flames of NIST scaremongering and we all have an interest in NIST as a trusted place for science and standardization." So maybe NIST's weakening of SHA-3 is just incompetence we can fix, not deliberate NSA sabotage.
posted by Nelson at 7:56 AM on September 25, 2013


The thing about there being a backdoor in Linux is, it's open source. If there is one, someone can find it. Sure there's tons of code there to sift through, and not everyone understands every algorithm, but if you got a lot of people to work on it, it's possible.

I'd be surprised if there weren't groups out there doing that right now.
posted by JHarris at 6:13 PM on September 25, 2013


(This more than anything else in recent memory justifies Debian's hardcore-open-source approach.)
posted by JHarris at 6:13 PM on September 25, 2013


What the heck is going on with NIST’s encryption standard, SHA-3?

The author has since corrected the title to "What the heck is going on with NIST’s cryptographic standard, SHA-3?" because of course SHA-3 is a hash function, not an encryption standard.

Reading the PDF I'm confused. There's a difference between "security level" and the digest size ("capacity" in the PDF) that I don't understand. All it looks like NIST did was retain Keccak-256 and Keccak-512, and not Keccak-224 or Keccak-384, which does not mean they eliminated stronger variants of the algorithm from the standard. The "security level" of Keccak-512 was always 256 bits and that hasn't changed in SHA3-512. (Has it?)
posted by Pruitt-Igoe at 1:25 AM on September 26, 2013


Here's another article about Kelsey's talk, and some discussion on crypto.stackexchange (read the answer).
posted by Pruitt-Igoe at 11:39 AM on September 26, 2013


« Older Character Writings of the 1600s   |   Why do so many incompetent men become leaders Newer »


This thread has been archived and is closed to new comments